4

I have a question about creating a user with sort of jailed shell access (actually all is required of this user is an sftp access to one particular directory).

Scenario is as follows - I have an existing code which is IonCube protected so I cant really mess with it - I am stuck with output folders it provides. What it does it creates some folders with some files to download during it's operation. All that ends up in /var/www/xy/backup/orderbackup/random-name-folder-here/files_here

Now, I would like to create a user who will have an sftp access to /var/www/xy/backup/files/ and its underlings but preferably nowhere else.

Do I create a regular user and then jail him to that directory (although I am not sure if I can create jail there because I cant change /var/www/xy/backup/orderbackup/ ownership to root cause it will stop saving files), or perhaps should I use some other technique.

I read posts about RSSH, MySecureShell etc. which approach would be middle ground between being secure and complicated to set-up (I am not a linux guru).

Thanks in advance!

RandomWhiteTrash
  • 269
  • 1
  • 3
  • 17

3 Answers3

6

OpenSSH (which also provides sftp and scp functionality) has gained chroot functionality in its later versions. Basically you just need to add lines similar to these one to your /etc/ssh/sshd_config file.

Subsystem sftp internal-sftp

Match group sftpusers
     ChrootDirectory /var/www/xy/backup/files/
     X11Forwarding no
     AllowTcpForwarding no
     ForceCommand internal-sftp

Then create a new group called sftpusers with command groupadd sftpusers.

The last step is then to create a user belonging to group sftpusers: 

useradd -g sftpusers -d /var/www/xy/backup/files yourusername 
passwd yourusername

Then just restart your ssh service: /etc/init.d/sshd restart and you should be all set.

Janne Pikkarainen
  • 31,852
  • 4
  • 58
  • 81
  • 2
    Worth noting that the ChrootDirectory functionality was only added since OpenSSH 4.8p1 and RHEL 5.5 only has OpenSSH 4.3p2. – James Yale Jul 13 '11 at 11:28
  • Oh dear, RHEL 5.x truly seems to be that ancient. – Janne Pikkarainen Jul 13 '11 at 11:34
  • Thanks for detailed answer, however I can not test if it works because my OpenSSH is 4.3p2 version and does not support keyword Match!! Question is - can I reinstall OpenSSH to newer version remotely without loosing connectivity? – RandomWhiteTrash Jul 13 '11 at 11:44
2

You can use sshd configuration to achieve this. Create a user e.g. fred then add the following to your sshd_config file

Match user fred
    ChrootDirectory /var/www/xy/backup/files
    ForceCommand internal-sftp
    X11Forwarding no
    AllowTcpForwarding no

This will lock the user fred to the desired directory and it's sub directories. The user fred only needs r--access to the file and r-x to the directories. Check the current permissions it may already be able to do this.

user9517
  • 115,471
  • 20
  • 215
  • 297
0

Maybe you could define a new group, just for this sftp user, change group ownership of directory to that group and set setgid bit on the directory?

This may or may not work, depending on how the application creates the directories.

Paweł Brodacki
  • 6,511
  • 20
  • 23