Home / server / Questions / 138362
Accepted
HannesFostie
Asked: 2010-05-05 05:17:15 +0800 CST

OpenSSH SFTP: chrooted user with access to other chrooted users' files

  • 772

Decided to re-phrase the question entirely in order to not have to make a new one.

I currently have an SFTP server set up using OpenSSH's SFTP functionality. All my users are chrooted, and everything works.

What I need most right now is for one user, which is not root (because this user can't have any real SSH powers!), to have access to all other users' chrooted dirs. This user's job is to fetch all uploaded documents every once in a while.

Directory structure as of now is:

/home |_ /home/user1 |_ /home/user2 |_ /home/user3

With ChrootDirectory set as /home/%u

User "adminuser" should have access to user1, user2 and user3's directories without having access to /home or at the very least not to anything but /home.

Bonus points for the one who can tell me how to let users write inside /home/%u without having to make a new directory inside that dir which they own themselves, and not root as is the case with /home/%u (openssh chroot prerequisite).

ssh sftp file-permissions

3 Answers

  1. Best Answer

    Create a new home directory, such as /chroothome.

    Have all users home directories live within that chroothome.

    chroot adminuser to /chroothome.

    For everything else, just use filesystem permissions.

    As far as your "bonus question," it isn't possible using native functionality. The inability for the chroot user to write to the root directory is a security mechanism by design. Of course, you can always modify the source code.

    Nevertheless, I suspect you could specify the user's home directory as /user1 and have the working directory at login be the one they could write to.

    • 3

  2. In your /etc/ssh/sshd_config add these lines:

    Subsystem sftp internal-sftp

Match group SFTP-users
     ChrootDirectory /home/%u
     X11Forwarding no
     AllowTcpForwarding no
     ForceCommand internal-sftp

    Then change owner of the user home directory

    # chown root.root /home/user
# usermod -d / user
# adduser user SFTP-users

    Restart ssh server daemon

    #/etc/init.d/sshd restart
    • 0

  3. 1°) Sshd checks that home directory is owned by the user who logged in. 2°) if you use chroot, sshd checks that every directory parent to the home is owned by root ( http://www.tenshu.net/archives/2008/10/09/openssh-51-chrootdirectory-permissions-issue/ )

    If you want to chroot a user and let him read chroot for other users, the home of this user has to be a parent directory of the chroot of these user. Because of that you will broke one the the two previous rules.

    AFAIK, the only solution would be to patch sshd :-)

    • 0