1

I have my sftp users chrooted into /var/www and I would like for them to be automatically moved into their directory. I found this answer which helped me a lot: Chroot SFTP - Possible to allow user to write to current (chroot) directory. But I want to move the user into his or her home directory (=/= name of the user) instead (which is a sub-dir of var/www). I tried:

Match Group sftpusers
  X11Forwarding no
  AllowTcpForwarding no
  ChrootDirectory /var/www
  ForceCommand internal-sftp -d %h

But I get fatal: percent_expand: unknown key %h [postauth].

EDIT: I found that %d is the user directory but it doesn't seem to work because it is looking for it based on /var/www.

leonheess
  • 144
  • 3
  • 12

1 Answers1

3

As I understand it, the problem you're facing is that the internal-sftp call is happening after the chroot is in place, thus the %h (as well as the attempted %d) is being expanded within the chroot. Even though your users live in /var/www/$USERNAME, using %d will naturally instruct internal-sftp to run out of /var/www/var/www/$USERNAME.

%u should work around this issue:

Match Group sftpusers
  X11Forwarding no
  AllowTcpForwarding no
  ChrootDirectory /var/www
  ForceCommand internal-sftp -d /%u

Thus will tell internal-sftp to run out of a directory called /$USERNAME. Since this call is happening after the chroot is established, it should dereference to /var/www/$USERNAME outside of the chroot.

As discussed in the comments, since your usernames and homedir names are divergent, a workaround would be to use the above config, then create a /var/www/USERNAME for each user and bind mount /var/www/USERNAME to /var/www/CURRENT_HOMEDIR_NAME, like so: mkdir /var/www/USERNAME; mount -o bind /var/www/USERNAME /var/www/CURRENT_HOMEDIR_NAME.

Now you'll have two directories under /var/www for each username, but one will simply point to the other - internal-sftp will then work as expected and whatever you have that needs to access the homedirs as /var/www/CURRENT_NAME won't break.

Omar Buhidma
  • 358
  • 1
  • 8
  • I think you understood my problem BUT the home directory does NOT have the same name as the user. – leonheess May 06 '20 at 16:59
  • Hmmmm. To be honest, I can't see a good way to make it work if the username is different than the home directory name. An "outside the box" option might be to change the users' homedirectories to be their username, then create a hardlink linking every homedirectory name you're currently using to the new homedirectory name. That way, you can use the config I outlined above and still reference your users' homedirectories with the name you're currently using - just means each directory will appear twice under /var/www: once as their username and once as the current name – Omar Buhidma May 06 '20 at 17:09
  • That sounds complex. We already have all information with `%d` which is `/var/www/x` we just need to "extract" the x or remove the /var/www/ somehow... – leonheess May 06 '20 at 17:13
  • unfortunately, there's no command expansion within sshd_config, so you can't do any transformations on the % expansion – Omar Buhidma May 06 '20 at 17:14
  • 1
    Damn I guess I'll have to start renaming users :/ – leonheess May 06 '20 at 17:15
  • I can't even do that because users can't have . in their name – leonheess May 06 '20 at 17:16
  • Which command would you suggest for the hardlink? – leonheess May 06 '20 at 17:18
  • `ln /var/www/CURRENTNAME /var/www/NEWNAME.` This will result in what appears to be two directories, but each will just be a pointer to the same spot in the filesystem. Unlike symlinks (which you get with "ln -s"), these will be indecipherable from one another. – Omar Buhidma May 06 '20 at 17:21
  • 1
    Wait, it's telling me `hard link not allowed for directory` – leonheess May 06 '20 at 17:32
  • My bad - looks like hard links for directories has been removed as it creates the possibilities of loops. Easy fix, use bind mounts instead. So, something like this: `mkdir /var/www/NEWNAME; mount -o bind /var/www/CURRENTNAME /var/www/NEWNAME` – Omar Buhidma May 06 '20 at 17:36
  • 1
    Works perfectly - ty so much – leonheess May 06 '20 at 17:51
  • Glad I could help! – Omar Buhidma May 06 '20 at 17:52