Home / server / Questions / 112599
Accepted
Rook
Asked: 2010-02-14 12:22:16 +0800 CST

SFTP File Restrictions

  • 772

Is it possible to use SFTP on Linux and restrict a user account to ONE directory such that no other directory listing can be obtained? Yes, I must use SFTP, FTP is only used by people that love getting hacked.

For instance I want someone to modify files in /var/www/code/ but I don't want them to be able modify anything else. I don't even want them to see the contents /tmp/.

(I will accept a "quick and dirty" solution, as long as it is secure.)

linux security ssh sftp

5 Answers

  1. Best Answer

    From sshd_config man-page:

    ChrootDirectory
             Specifies a path to chroot(2) to after authentication.  This
             path, and all its components, must be root-owned directories that
             are not writable by any other user or group.  After the chroot,
             sshd(8) changes the working directory to the user's home directo-
             ry.

             The path may contain the following tokens that are expanded at
             runtime once the connecting user has been authenticated: %% is
             replaced by a literal '%', %h is replaced by the home directory
             of the user being authenticated, and %u is replaced by the user-
             name of that user.

             The ChrootDirectory must contain the necessary files and directo-
             ries to support the user's session.  For an interactive session
             this requires at least a shell, typically sh(1), and basic /dev
             nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4),
             arandom(4) and tty(4) devices.  For file transfer sessions using
             ``sftp'', no additional configuration of the environment is nec-
             essary if the in-process sftp server is used, though sessions
             which use logging do require /dev/log inside the chroot directory
             (see sftp-server(8) for details).

             The default is not to chroot(2).
    • 4

  2. Another alternative could also be to replace their shell with MySecureShell which gives you features such as Chroot, Bandwidth limiting, Connection limiting, etc.. etc..

    http://mysecureshell.sourceforge.net/

    Using it in a webhosting environment at the moment and must say it's worked out quite nicely.

    • 2

  3. SFTP is NOT a feature-rich solution comparable to an FTP server like vsftpd. It doesn't support chroots; which is what you are looking for. FTPS (not SFTP) would be the best solution since it supports encryption, chroots, etc. vsftpd supports this and it's easy to setup.

    In addition be sure to take advantage of the pam_listfile module to explicitly state which users are allowed to login via ftps.

    • 0

  4. http://pizzashack.org/rssh/ lets you set up restricted ssh so that only SFTP/SCP are run; it also helps setting up the chroot.

    As CarpeNoctem points out, FTPS sometimes is a better solution. ssh, SFTP, scp are very "low-level", FTPS (like the unsafe FTP) are normally higher-level (virtual directories, virtual users, etc.).

    I think for the scenario you describe, both approaches would work.

    • 0
    • 0