Good day. I currently have a request to have sftp access to a specific directory for a user(s). They can have access to that folder only, and nothing below it.
Now here is the gotcha that seems to be catching me. The folder they need access to is NOT owned by root, and most of the parent directories aren't either. I can't change this easily either, due to the "application" writing in these directories. Of course, the openssh chroot functionality relies on this to setup and secure the chroot environment.
I am wondering what is the best methodology to get this done? I was initially thinking of having a ChrootDirectory elsewhere, and then doing a bind mount, however, I don't know how 'secure' that would be.
layout:
Quote:
user app1 /home/user/appdir/archive (need SFTP access here)
user app1 /home/user/appdir (can't have SFTP access here, or any parent from here)
/etc/ssh/sshd_config specific contents:
Quote:
Subsystem sftp internal-sftp
Match Group sftponly
ChrootDirectory /chroot/home/user/appdir/
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Quote:
lslpp -l |grep openssh.base.server | uniq
openssh.base.server 5.4.0.6101 COMMITTED Open Secure Shell Server
Any suggestions ?