Sftp server/chrooted trying to limit user permissions

 
Thread Tools Search this Thread
Operating Systems Linux Red Hat Sftp server/chrooted trying to limit user permissions
# 1  
Old 10-15-2014
Sftp server/chrooted trying to limit user permissions

I needed to set up an sftp server for an external user to upload data for an internal developer.

What I did was created a chrooted user for the external guy, and then created an internal group with full permissions to that directory and then made the internal developer a member of that group so he could grab whatever he needed/etc.

My question is how can I minimize the permissions of the chrooted user so that he/she can upload ONLY, not list what's in the directory, manipulate what's already in there, etc. When I tried locking down the permissions I started running into problems - with only write and/or execute the user was not able to get into the directory, etc. Or is this a limitation with this kind of setup, namely that the chrooted user has to have elevated (rwe) permissions for this to work?

Last edited by xdawg; 10-15-2014 at 02:15 PM..
# 2  
Old 10-15-2014
Ok,
I recently configured this on LINUX machine.

You will run all the below commands as root.

The below is required to be created/added one time only

Create a group (this is one time process)

Run the below command to create the group

Code:
# groupadd <groupname>
Ex: # groupadd sftponly ( I used sftponly as group name)

Once we create the group, we will edit the file called sshd_config, which is under
Code:
‘/etc/sshd’  directory

# vi /etc/ssh/sshd_config

Go to line where it says 

Subsystem sftp xxxxxxxxx change it to below

Subsystem sftp internal-sftp

In the same file go to the bottom of the file and add the below

Match Group sftponly
 ChrootDirectory %h
 ForceCommand internal-sftp
 X11Forwarding no
 AllowTcpForwarding no

You can reload or restart the sshd Daemon
  # service sshd reload

Note: The above is one time process; it’s like sets and forgets.

Now coming to users, we have to perform the operation for each new user.

Remember the default home directory for users is /home/<username>

Creating a new user for sftp process:

Create/add a new user
Code:
# useradd <username>

Ex: # useradd sftptest ( I took sftptest user as an example)

Now, we modify the primary group of user

# usermod –aG <group> <user>

Ex: # usermod –aG sftponly sftptest

Create a upload directory under user’s home directory.

# sudo –u sftptest mkdir -pv /home/sftptest/upload

Change the file owner and group

# chown root. /home/sftptest

Change the file mode bits

# chmod 755 /home/sftptest

Change the group ownership

# chgrp -R sftponly /home/sftptest

You will repeat the same process for each user.

I hope this helps.

Last edited by ibmtech; 10-15-2014 at 02:23 PM..
# 3  
Old 10-15-2014
Quote:
My question is how can I minimize the permissions of the chrooted user so that he/she can upload ONLY, not list what's in the directory, manipulate what's already in there, etc. When I tried locking down the permissions I started running into problems - with only write and/or execute the user was not able to get into the directory, etc. Or is this a limitation with this kind of setup, namely that the chrooted user has to have elevated (rwe) permissions for this to work?
The ability to eXecute a directory is what allows you to cd into it.

The ability to Write to a directory is what allows you to add files to it -- as well as delete and rename them.

The ability to Read a directory is what allows you to list its contents.

It may be possible to make a write-only directory with access control lists, but ordinary rwx doesn't offer this.

You could also just give him a different folder. Nothing to stomp on or delete except his own files that way.
# 4  
Old 10-15-2014
Quote:
Originally Posted by Corona688
The ability to eXecute a directory is what allows you to cd into it.

The ability to Write to a directory is what allows you to add files to it -- as well as delete and rename them.

The ability to Read a directory is what allows you to list its contents.

It may be possible to make a write-only directory with access control lists, but ordinary rwx doesn't offer this.

You could also just give him a different folder. Nothing to stomp on or delete except his own files that way.
Yeah, but for whatever reason when I give the user only wx permissions it does not allow them to CD into the directory. I suppose it has something to do with chroot/sftp set up.
# 5  
Old 10-15-2014
Quote:
Originally Posted by xdawg
Yeah, but for whatever reason when I give the user only wx permissions it does not allow them to CD into the directory.
Having cd-ed into the folder, they find themselves unable to (R)ead it, which causes an error.

Usually you set a folder eXecutable but not Readable when you intend for people to chdir straight past it -- i.e. cd /restricted/folder/somethingelseinsidewhichIamallowedtouse
# 6  
Old 10-15-2014
Sometimes you can get this sort of behavior by having a special daemon process watch the dir and move files out once they are opened, so there is nothing to see.
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

Change sFTP home directory for particular user and from specific server

Hello Folks, Of course i came here for your favour :) How to set a defalult home directory for sFTP login ( at present users land in to their home directrory) when they connect from specific server. When server(A) sFTP's to Linux server(B) they land to thier home directory. I want... (5 Replies)
Discussion started by: Thala
5 Replies

2. UNIX for Beginners Questions & Answers

Sftp change file permissions

Hi All, Apologies if this question has been asked before. I havent been able to resolve an issue and would like some help. I am getting files pushed to me via sftp. The files once pushed to my server in folder ABC have -rw------- but I need these files to have the following -rw-rw---- to be... (1 Reply)
Discussion started by: israr75
1 Replies

3. Red Hat

SFTP with limit(l) option

Hi, I have sftp installed in some of my corporate servers (test and production). However, I notice that it does not have the limit(l) option for bandwidth limit option. Why is this? Is it because sftp was not installed with other necessary packages? How do I make sftp available with the... (4 Replies)
Discussion started by: anaigini45
4 Replies

4. Shell Programming and Scripting

How to scp File from root user in one server to say crt user in another server and avoid password?

Can someone help in writing some script through which I can transfer file (scp) from root user in abc server to crt user in hfg server and can give the crt user password in script itself so that it doesn't prompt me every time for password (4 Replies)
Discussion started by: Moon1234
4 Replies

5. UNIX for Advanced & Expert Users

Sftp user chrooted in a directory

Hello, I have a task to create 3 users that must connect only via sftp on a machine, and must have only read access to a certain directory (thay shouldn;t be able to cd anywhere else) The problem is that the directory where these users must have access to, it's already created/owned by another... (0 Replies)
Discussion started by: black_fender
0 Replies

6. Solaris

How do files transferred via ftp or sftp gets thier permissions at destination?

We have umask defined under /etc/.login as 022. I have my user specific umask defined in /userhome/.login as 002. I understand ftp will not execute anything at destination, it simply transfers files. But it seem to be using 022 as umask for the files transferred. How does ftp knows what umask... (4 Replies)
Discussion started by: kchinnam
4 Replies

7. UNIX for Advanced & Expert Users

chrooted SFTP upload folder

Hi List, I have set up a chrooted SFTP setup following the instructions I found on tech republic: /blog/opensource/chroot-users-with-openssh-an-easier-way-to-confine-users-to-their-home-directories/229 I have successfully got it all working and I can download files when logged in via sftp... (0 Replies)
Discussion started by: landossa
0 Replies

8. Red Hat

Loggin SFTP activity for chrooted (rssh) users

Hi, I need to log the activity of my SFTP (RHEL 5.4). I have this in /etc/sshd/sshd_config: Subsystem sftp /usr/libexec/openssh/sftp-server -f LOCAL5 -l VERBOSE And this in /etc/syslog.conf: LOCAL5.* /var/log/sftp.log When I log in... (1 Reply)
Discussion started by: Tr0cken
1 Replies

9. Shell Programming and Scripting

sftp file size limit

Hi, Can some one please tell me the file size limit (if any) while using sftp I am trying to transfer a file ( size is almost 350 MB ) but it fails as shown below. sftp> put file1 ./file1 Uploading file1 to /dir1/./file1 file1 25% 100MB 10.2MB/s 00:28 ETA Couldn't write to remote... (6 Replies)
Discussion started by: vikash_k
6 Replies

10. UNIX for Dummies Questions & Answers

sftp permissions

Hi I've been banging my head with this problem for two days, and I'm quite hopeless. First of all, i would like to insist that no samba is involved. I have a bunch of users whose home directory is /home/SFFS . Always. All of them. And they all belong to the group sffs. Permissions of... (4 Replies)
Discussion started by: Calvin1602
4 Replies
Login or Register to Ask a Question