0

I have an account on debian named 'usera'. 'usera' has a home directory of /home/whatever

When I log in to WinSCP using 'usera' and its credentials - I am able to go "up" one directory into /home and then eventually into '/'. I specifically made this account to restrict access to this home directory as the credentials are shared.

Note: This directory is also used as web root for an apache2 virtual host, but 'usera' is in the 'www-data' group, so I don't think that apache has anything to do with this problem.

Any suggestions?

Sam Levin
  • 510
  • 1
  • 5
  • 11
  • 2
    "I specifically made this account to restrict access to this home directory as the credentials are shared." <-- how exactly did you do that? Please edit your question with all the relevant details necessary to answer. Setting a user's home directory alone does not restrict them in any way from browsing the rest of the filesystem. – EEAA Oct 30 '13 at 04:31
  • 1
    **chroot jail?** Just saying it was specifically made to restrict access without saying how you did it doesn't confer any useful information beyond wishful thinking. – Fiasco Labs Oct 30 '13 at 05:01
  • Seems as if that was an ignorant statement. What I meant by that was "I created a user with a specific home directory that doesn't have administrator privileges". I thought that action alone restricted the user to that directory when you ssh in with those credentials. Whoops! – Sam Levin Oct 30 '13 at 15:44

1 Answers1

2

By default /home and / are world readable and the scp subsystem of sshd doesn't restrict chdirs so there is no reason to expect this to work. You would need to force a restricted environment on the user by some means. For example scp jail. With scp jail you wouldn't be able to write directly to the home directory but you could create a writable subdirectory and have other things (like the web root) pointed at that rather than directly at the homedir.

William Hay
  • 376
  • 1
  • 7
  • Will - by doing that, the directions state that the jailed account shouldn't have write access. In that case how could the user upload or modify files in that directory – Sam Levin Oct 30 '13 at 15:46