Home / server / Questions / 866551
Accepted
user3271408
Asked: 2017-08-03 12:03:32 +0800 CST

Red Hat SFTP server bad ownership for chroot directory [duplicate]

  • 772

I am building a SFTP server on Red Hat 6.9 (to be clear, I'm using the FTP extension of OpenSSH). I followed the following guide:

https://www.howtoforge.com/tutorial/how-to-setup-an-sftp-server-on-centos/

I configure everything exactly how it is described. The client OS I'm using is Windows 10. I've tested with Putty's SFTP client and WinSCP (I do not believe my problem to be a client related). When I attempt to connect, I get prompted for a username, then password. After entering my password, the session immediately closes. /var/log/secure shows these relevant messages:

Aug  2 14:30:28 SFTP_Server sshd[4087]: pam_unix(sshd:session): session opened for user scott.ftp by (uid=0)  
Aug  2 14:30:28 SFTP_Server sshd[4089]: fatal: bad ownership or modes for chroot directory "/sftp/scott.ftp/data"  
Aug  2 14:30:28 SFTP_Server sshd[4087]: pam_unix(sshd:session): session closed for user scott.ftp

To show the directory permissions match the tutorial: 

[root@SFTP_Server data]# ls -alh / | grep sftp
drwxr-xr-x    4 root              root      4.0K Aug  2 12:37 sftp  
[root@SFTP_Server data]# ls -alh /sftp  
total 16K  
drwxr-xr-x   4 root root 4.0K Aug  2 12:37 .  
dr-xr-xr-x. 25 root root 4.0K Aug  2 12:35 ..  
drwxr-xr-x   3 root root 4.0K Aug  2 12:38 scott.ftp  

[root@SFTP_Server data]# ls -alh /sftp/scott.ftp/  
total 12K  
drwxr-xr-x 3 root              root      4.0K Aug  2 12:38 .  
drwxr-xr-x 4 root              root      4.0K Aug  2 12:37 ..  
drwxrwx--- 2 scott.ftp sftpusers 4.0K Aug  2 12:38 data  

[root@SFTP_Server data]# ls -alh /sftp/scott.ftp/data/  
total 8.0K  
drwxrwx--- 2 scott.ftp sftpusers 4.0K Aug  2 12:38 .  
drwxr-xr-x 3 root              root      4.0K Aug  2 12:38 ..

I'm not sure what gave me this idea to try, but for troubleshooting, I changed permissions on the "." directory: 

[root@SFTP_Server data]# pwd  
/sftp/scott.ftp/data  
[root@SFTP_Server data]# chown root:root .  
[root@SFTP_Server data]# ls -alh  
total 8.0K  
drwxrwx--- 2 root root 4.0K Aug  2 12:38 .  
drwxr-xr-x 3 root root 4.0K Aug  2 12:38 ..

Now I try to connect again and I can successfully connect. But I cannot list directory or make directory or any other action. The error I get here is "permission denied". While still connected over SFTP, in an alternate SSH connection, I change the permissions back: 

[root@SFTP_Server data]# chown scott.ftp:sftpusers .  
[root@SFTP_Server data]# ls -alh  
total 8.0K  
drwxrwx--- 2 scott.ftp sftpusers 4.0K Aug  2 12:38 .  
drwxr-xr-x 3 root              root      4.0K Aug  2 12:38 ..

Now I can create directories and other actions in the SFTP session. I exit the SFTP session and try to connect and the login fails as described above.

Any help is greatly appreciated.

linux

1 Answers

  1. Best Answer

    Now I try to connect again and I can successfully connect. But I cannot list directory or make directory or any other action. The error I get here is "permission denied".

    This is not technically possible to create a chroot, which would be writable by the connecting user (unless you would use extended ACL, which is not a good practice in this case, when it is forbidden for a security reason).

    General advice is to either

    • chroot to one directory above
    • create another directory in data/, that would be writable by that user.
    • 2