Configure multi-level sftp access

Question

I'm setting up a sftp server where clients will only have read-only access. They will log into their chroot directories, which is fine, but I need an admin account that can access/write to those directories.

/var/www/hosts <- admin chroot  (root:root, 700)
 -- /domain1    <- client1 chroot (root:root, 700)
 -- /domain2    <- client2 chroot (root:root, 700)
 -- /domain3    <- client3 chroot (root:root, 700)

all the sftp users go to the correct spots after login but the admin account can see the sub-directories but can't enter them and obviously can't write to it.

I've tried setting ACL permissions for the sub-directories which gives the admin account write access; this works but breaks client's sftp access because sshd reports a fatal error about incorrect chroot ownership/permissions and aborts the logins.

What can I do to solve me issue?

score 0 · Answer 1 · answered Jul 08 '20 at 15:52

ok, so i changed the permissions to 755 for all directories, created a "data" directory within each domain and set the permissions to root:admsftp 775 and modified my sshd_config to include

ForceCommand internal-sftp -d /data

so now when the client connects they are forced into the data directory, still read-only. Sure they can go up a directory but all they can do from there is go back into the "data" directory.

Not ideal but does what I need.

Configure multi-level sftp access

1 Answers1