0

tree

I have a vps running debian OS and would like to create user accounts on it.

I want it so that when the user logs in with sftp, everything in var appears to be their home directory and they cannot cd out of it.

For example, when user3 logs in, they have access to everything in var (read, write, execute) but cannot view (cd) user1 or user2's personal stuff.

How would I go about doing this?

I think I have to do this in chroot, but I have no idea how this would work.

Thanks

dukevin
  • 1,630
  • 3
  • 18
  • 25

3 Answers3

1

The #1 problem that people encounter with chrooted SFTP is that OpenSSH, by default, requires that root owns the whole path to a given user's chroot directory. In other words, if you want to chroot someone into /home/someone, / must be owned by root and have permissions no wider than 0755, /home must be owned by root and have permissions no wider than 0755, and perhaps most surprisingly, /home/someone must be owned by root and have permissions no wider than 0755. In your case, you want to chroot people into /var (I'm not even going to ask), so you avoid this permissions problem, but in other cases where it's unavoidable, you may want to look into mount --bind.

As to the actual chrooting, you've got two options for how to go about it: either by group or by user. In either case, you'll edit the sshd_config file. For group-wide, it'll look like:

Match group sftponly
ForceCommand internal-sftp
ChrootDirectory /var
AllowTcpForwarding no

For per-user configuration, it'll simply be:

Match user sftpdude
ForceCommand internal-sftp
ChrootDirectory /var
AllowTcpForwarding no

Note that internal-sftp wasn't supported until OpenSSH version 5 or so, so you may have to compile a custom copy of OpenSSH if you don't have access to a v5 package.

BMDan
  • 7,249
  • 2
  • 23
  • 34
  • @bm Thanks, but I want to avoid downloading new things like OpenSSH, is there a way to do this without OpenSSH? If not, I'll try this out as soon as I fix my vps from installing ProFTPd – dukevin Feb 25 '11 at 13:30
  • @Kevin: OpenSSH is a fairly common part of any linux server. If you can ssh or sftp into the server then you are probably using OpenSSH already. – Arrowmaster Feb 25 '11 at 20:10
  • Thank you, this has actually been a big help. Quick question, on the second Match user sftpdude, do I replace "dude" with the username? – dukevin Feb 27 '11 at 12:48
  • i guess not since it didn't work :/ Would you be so kind as to explain step by step for me, I don't know much about this at all. Thanks – dukevin Feb 27 '11 at 12:56
  • This is what I have and it didn't work. It's giving me a permission denied when I login even though file permissions are as wide as possible. http://img828.imageshack.us/img828/1336/111exy.jpg – dukevin Feb 27 '11 at 14:05
  • It looks like /home/duke/aa/servers/demo/var is not accessible to the "demo" user. Try `DIR=; for dir in $(echo /home/duke/aa/servers/demo/var | tr '/' ' '); do DIR=$DIR/$dir; ls -ld $DIR; done` and make sure that the first column isn't, for example, "drwxr-x---". – BMDan Mar 16 '11 at 16:09
0

If you chmod 700 each user directory only the directory owner will be able to access the contents of that directory.

i.e. chmod 700 /home/duke/aa/servers/user2 will prevent any user other than user2 (and root) from accessing it.

Of course user2 needs to be the owner of /home/duke/aa/servers/user2 to access his own files.

Shaun Dewberry
  • 467
  • 2
  • 9
0

Depending on the FTP server you use this should be relatively easy. Both proftpd and vsftpd, which as packages in Debian support chroot as an option. The ProFTPd docs are here.

For SSH/SFTP look at http://www.debian-administration.org/articles/590

Niall Donegan
  • 3,869
  • 20
  • 17
  • yeah but my clients are going to be using sftp not server – dukevin Feb 25 '11 at 11:55
  • 1
    Same applies to SSH/SFTP. Have a look at http://www.debian-administration.org/articles/590 The ChrootDirectory variable can be set to an arbitrary directory based on the user, not just $HOME – Niall Donegan Feb 25 '11 at 12:37
  • Thanks, very useful link. But I still can not get it to work. Any idea what might be happening here? http://img828.imageshack.us/img828/1336/111exy.jpg – dukevin Feb 27 '11 at 14:06