I'm attempting to setup OpenSSH on Ubuntu 12.04 to allow the following
- User can only SFTP (no shell access)
- User can write (upload) files
- Access is secure such that no user can view another user's files and cannot compromise the server
To that end I attempted to setup Chroot following
https://help.ubuntu.com/community/SSH/OpenSSH/Configuring
http://www.serverubuntu.it/SFTP-chroot
Unfortunately I seem to have hit a brick wall summarized by the following:
It's ChrootDirectory ownership problem, sshd will reject sftp connections to accounts that are set to chroot into any directory that has ownership/permissions that sshd doesn't consider secure. sshd's apparently strict ownership/permissions requirements dictate that every directory in the chroot path must be owned by root and only writable for the owner. So, for example, if the chroot environment is in a user's home directory both /home and /home/username must be owned by root and have permissions along the lines of 755 or 750 ( group ownership should allow user to access ).
https://wiki.archlinux.org/index.php/SFTP-chroot
"must be owned by root and only writable for the owner" seems to translate to "only writable by root"
That would seem to limit the utility of chroot to users that only need to download files.
I attempted to
- Change the home directory group ownership to sftpusers (a group I created, of which the user is a member)
- Change file permissions from 755 to 775 to allow the group to write
When I did that, I could no longer log in with SFTP.
Changing the ownership and permissions back restored the ability to log in.
Question
How do I setup SFTP in a secure manner, such that users can upload files to their own home directory?
No sooner had I posed this, I found a solution.
Create a directory under the chroot directory, e.g. something like
/home/myuser/transfer
That directory can be writable by the user.