How can I set a global sftp chroot for a group (or all) users on a server

Question

Possible Duplicate:
set up a chrooted SFTP login with OpenSSH

I am not familiar with chroot jails so please forgive my ignorance.

From my understanding you would normally chroot a user to their home directory - ex: /home/username.

I would like to chroot all (or ideally a specific group of users) to a certain directory.

For example a user should be able to get to /web/TheirUserDir and /web/GroupDirThatAreIn - basically I would like to make it so the group "webusers" can not go about /web.

Thanks in advance for ideas, thoughts and answers.

What software are you using to server out SFTP? – Justin Pearce Sep 07 '11 at 21:46 — Justin Pearce, Sep 07 '11 at 21:46

score 1 · Accepted Answer · answered Sep 07 '11 at 23:02

What you are asking for is not possible using (only) chroot, as /web/userDir and /web/groupDir share /web as their lowest common root.

Forcing them to use sftp and limiting them to /web is as close as you can get:

Match group webusers
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory /web

The rest can (and should) be handled by ACLs.

How can I set a global sftp chroot for a group (or all) users on a server

1 Answers1