Home / server / Questions / 711397
In Process
user2375592
Asked: 2015-08-07 10:34:58 +0800 CST

SFTP can access files on the whole disk

  • 772

I have an SFTP server setup, whenever a user tries to connect over SFTP they see the directory /home/user but then they can also change directory to /home and even /

How do I stop this so they can only see the current users home directory?

I have this in my sshd_config which 

Subsystem sftp internal-sftp
Match group ftpaccess
    ChrootDirectory /home/sony
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp
ssh

2 Answers

  1. From https://wiki.archlinux.org/index.php/SFTP_chroot, emphasis mine:

    Write access to chroot dir

    ...if a user is able to write to the chroot directory then it is possible for them to escalate their privileges to root and escape the chroot. One way around this is to give the user two home directories - one "real" home they can write to, and one SFTP home that is locked down to keep sshd happy and your system secure. By using mount --bind you can make the real home directory appear as a subdirectory inside the SFTP home directory, allowing them full access to their real home directory.

    This can also be used to achieve other goals. For example, a user's home directory can be locked down per the sshd chroot rules, and bind mounts used to provide users access to other directories:

    # mkdir /home/user/web
# mount --bind /srv/web/example.com /home/user/web

    Optional add an entry to /etc/fstab:

    # echo '/srv/web/example.com/ /home/user/web        none    bind' >> /etc/fstab

    Now the user can log in with SFTP, they are chrooted to /home/user, but they see a folder called "web" they can access to manipulate files on a web site (assuming they have correct permissions in /srv/web/example.com.

    • 3

  2. As specified in the sshd_config man page:

    ChrootDirectory

    Specifies the pathname of a directory to chroot(2) to after authentication. At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group. After the chroot, sshd(8) changes the working directory to the user's home directory.

    The pathname may contain the following tokens that are expanded at runtime once the connecting user has been authenticated: %% is replaced by a literal '%', %h is replaced by the home directory of the user being authenticated, and %u is replaced by the username of that user.

    So defining the chroot path /home/%u or %h may be what you are looking for.

    Take special note of the requirement for the sftp users home root dir (i.e. /home/exampleuser1, /home/exampleuser2 and so on) to be owned by the root user for this to work. Write access to the sftp user can only be given in subdirectories. This requirement was under scrutiny here.

    • 0