How can I chroot sftp-only SSH users into their homes?
All this pain is thanks to several security issues as described here. Basically the chroot directory has to be owned by root and can't be any group-write access. Lovely. So you essentially need to turn your chroot into a holding cell and within that you can have your editable content.
sudo chown root /home/bob
sudo chmod go-w /home/bob
sudo mkdir /home/bob/writable
sudo chown bob:sftponly /home/bob/writable
sudo chmod ug+rwX /home/bob/writable
And bam, you can log in and write in /writable.
To chroot an SFTP directory, you must
Create a user and force root to be owner of it
sudo mkdir /home/john useradd -d /home/john -M -N -g users john sudo chown root:root /home/john sudo chmod 755 /home/johnChange the subsystem location on
/etc/ssh/sshd_config:#Subsystem sftp /usr/lib/openssh/sftp-server Subsystem sftp internal-sftpand create a user section at the end of the file (ssh can die respawning if placed after Subsystem line):
Match User john ChrootDirectory %h ForceCommand internal-sftp AllowTCPForwarding no X11Forwarding no
I spent the whole day trying to get a network share on my raspberry. I wanted to lock the user so that it would not be able to navigate through the whole file system, no ssh login access and I wanted to have write access to the network share.
And here is how I got it working:
First I created a user:
sudo useradd netdrive
Then edited /etc/passwd and made sure it has /bin/false for the user so the line was:
netdrive:x:1001:1004:Net Drive User,,,:/home/netdrive:/bin/false
I edited /etc/ssh/sshd_config to include:
Match User netdrive
ChrootDirectory /home/netdrive
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
Changed home directory owner and permissions:
sudo chown root:root /home/netdrive/
sudo chmod 755 /home/netdrive/
Ok so after all this I was able to connect using sshfs but in read only mode. What I had to do to get a writable folder:
sudo mkdir -p /home/netdrive/home/netdrive/
sudo chown netdrive:netdrive /home/netdrive/home/netdrive/
sudo chmod 755 /home/netdrive/home/netdrive/
That was it, it worked without any further changes. Note that I have only writable permissions to the user, not to the group as many other solutions online. I was able to create/delete/edit/rename files/folders without problems.
When accessing using sshfs with the netdrive user because of chroot configuration I would only see things stored inside server's /home/netdrive/ directory, perfect. The repeated /home/netdrive/home/netdrive/ directory structure is what made it work for me in having a clean chroot ssh writable solution.
Now I am going to explain below the problems I had:
You should probably not execute the following paragraphs:
After looking at the above solutions (and many others on the net which even used acl (access control lists)) I was still not able to get it working because what I did next was:
The following did NOT work for me:
sudo mkdir /home/netdrive/writable/
sudo chown netdrive:netdrive /home/netdrive/writable/
sudo chmod 755 /home/netdrive/writable/
Because the netdrive user was still not able to write in that /home/netdrive/writable/ directory despite owning the folder and having the permissions. Then I did:
sudo chmod 775 /home/netdrive/writable/
And now I could create a directory and delete it but I was not able to edit it because it was being created without group writable permissions. Here from what I saw on the net people use acl to fix it. But I was not happy with that since it I had to install acl, then configure mount points, etc. Also I have no idea why I would need group permission to write to a folder owned by the same user.
It seems that for some reason creating /home/netdrive/home/netdrive and giving ownership to the last netdrive folder I was able to make everything work without messing with group permissions.