0

I am trying to chroot a user when they login with ssh. So, what I did is added the following line to their .bashrc file:

chroot /apps/web

When I login with the user though, I am getting:

chroot: cannot change root directory to /apps/web: Operation not permitted

The permissions on /apps/web is root user and group owned. Any ideas?

Justin
  • 5,328
  • 19
  • 64
  • 84
  • What exactly are you trying to achieve by doing a chroot? Are you trying to limit sftp to a single directory, or are you just trying to make it easier for the user by changing the directory to the correct location by default? Is the account only be used for git and nothing else? – Zoredache Sep 07 '11 at 20:45
  • Make it easier, but when using git. So in the git remote address they can simply do: `ssh://user@myserver.mydomain.com/first-app` instead of `ssh://user@myserver.mydomain.com/apps/web/first-app` – Justin Sep 07 '11 at 20:49
  • You might need to look at some of the tools meant to do this. See this question: http://serverfault.com/questions/105712/locking-down-git-ssh-server. It mentions gitosis and gitolite – Zoredache Sep 07 '11 at 20:52
  • I am trying to ovoid installing a full git server. Just want the connivence of not having to type /apps/web, but not a huge deal if not possible. Though its strange when I ssh with `cd /apps/web` in the .bashrc file it works, but git doesn't. I thought git connects with ssh, so seems like it would have to execute the .bashrc file. – Justin Sep 07 '11 at 21:02
  • 1
    It is not strange, bash is probably started when git invokes ssh. Or at least it wouldn't be started as a login shell so the rc files would not get executed. I believe you could just create a symlink in your home directory linking first-app -> apps/web/first-app. Not sure why you are that worried about it though. If you setup git correctly you should only have to type the URL once. – Zoredache Sep 07 '11 at 22:16

1 Answers1

2

Only root has permission to chroot.

This probably won't give you a usable login - do you have a complete copy of all executables, data and libraries the user would need under /apps/web? It won't work without it.

If you do, then you can accomplish this by using sudo and allowing all users to execute, as root, a passwordless chroot /apps/web.

MikeyB
  • 39,291
  • 10
  • 105
  • 189
  • Ok, so anyway to force the user into the directory /apps/web once they login? I don't need chroot, but when they login want them to start at /apps/web, but keep their home directory at /home/user. – Justin Sep 07 '11 at 20:33
  • 1
    Oh, even easier. Put `cd /apps/web` into their `.bashrc`. – MikeyB Sep 07 '11 at 20:36
  • So this works when I ssh in, but with git, if I try and provide a repo url: `ssh://user@myserver.mydomain.com/first-app` it does not work. But `ssh://user@myserver.mydomain.com/apps/web/first-app` works. Is this because git is not executing the .bashrc file? – Justin Sep 07 '11 at 20:39
  • 1
    When git logs in over SSH, .bashrc does not get executed. A better option would be to log in as a single git user so your remote refs look like, for instance: `git+ssh://git@remote/~/repos/App1` – MikeyB Sep 07 '11 at 21:40