0

I've successfully set up SFTP to chroot a user to their home directory.

However, I have a case that I haven't been able to find any examples on, and the odd permissions needed for chroot make me wonder if I can do this.

I need to have a user, say, "fileadmin" that can create new folders under their home folder (via SFTP - they won't be logging in with a shell unless something is being debugged/etc) that then become new user's chrooted folder. This way, fileadmin can upload files for these other users that they can then pull down (read-only access is fine).

So an example of the filesystem setup would be: /home/fileadmin/ (fileadmin's home folder) /home/fileadmin/rouser1 /home/fileadmin/rouser2 etc...

User fileadmin doesn't need to be a chrooted account - it's the one we control and I trust it.

I've put fileadmin and rouserX in the same group and set the subfolders ownership as that group.

When I attempt this setup, I get: fatal: bad ownership or modes for chroot directory component when I log in with any of the "rouserX" accounts.

Anyone have any idea how to set up the permission to make this work? Is it possible?

The rouserX accounts are stored in openldap, so the idea would be that they would be added after the folder was created by fileadmin (via a backend ldap webapi I'm not involved with).

BWAZ
  • 1
  • 1
  • Possible duplicate of [this](http://serverfault.com/questions/497011/sftp-user-cant-edit-or-create-files/497027#497027) question – dawud Apr 11 '13 at 19:33

2 Answers2

0

It is required that all directories from the home of the chrooted user to the root must be owned by root:root and must not be group or world writable. This is probably not the case for fileadmin home directory.

This is very similar to this question.

Community
  • 1
dawud
  • 15,096
  • 3
  • 42
  • 61
0

Thanks. I found one way to do it was to set the chroot for all users the same, then set home directory down from there (ie: /chroot and user "test" was /home/test which was effectively /chroot/home/test). This works the way I want it, sort of. The problem is, since I had to use group perms to make it work, user2 could get into user1's folder if they knew the correct path.

I ended up compiling ProFTPD with SSH/SFTP support and it works exactly the way I want.

BWAZ
  • 1
  • 1