1

On CentOS release 6.5 (Final) I created a restricted user test1

useradd -s /bin/false test1

and configured ssd_config as following

Subsystem sftp internal-sftp

Match User test1
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTcpForwarding no

defined home directory for user test1

usermod -d /usr/local/tomcat/webapps/ROOT

then

chown root:root /usr/local/tomcat/webapps/ROOT
chown test1:test1 -R /usr/local/tomcat/webapps/ROOT/*
chmod 755 -R /usr/local/tomcat/webapps/ROOT/*

restarted sshd and tried to log into sftp

# sftp test1@localhost
Connecting to localhost...
test1@localhost's password:

sftp> ls -la
drwxr-xr-x    9 0        0            4096 Feb 16 08:20 .
drwxr-xr-x    9 0        0            4096 Feb 16 08:20 ..
drwxr-sr-x    2 500      501          4096 Feb  6 10:37 META-INF
drwxr-sr-x    6 500      501          4096 Feb 12 14:07 WEB-INF
drwxr-sr-x    2 500      501          4096 Feb 16 08:13 css
drwxr-xr-x    2 500      501          4096 Feb 16 08:27 home
drwxr-sr-x    3 500      501          4096 Feb 12 14:13 images
drwxr-sr-x    2 500      501          4096 Feb 16 00:37 js

sftp> mkdir css/test
Couldn't create directory: Permission denied

I have tried almost everything but still can not figure out why the owner of directory does not have write permission?

chaplean
  • 13
  • 1
  • 1
  • 5
  • Did you check your logs? Chrooting poses some restrictions on the entire path the home dir is located in, and I suspect something like that is going on. Although, it appears you did make the home dir root owned, as you should. Edit:, however, it's not chgrp'ed test1 and group writable. – Halfgaar Feb 16 '14 at 09:17
  • set -l VERBOSE in config and log shows the following: Feb 16 13:25:39 IZ kernel: type=1400 audit(1392542739.494:72): avc: denied { write } for pid=11048 comm="sshd" name="css" dev=dm-0 ino=1843649 scontext=unconfined_u:system_r:chroot_user_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:usr_t:s0 tclass=dir – chaplean Feb 16 '14 at 09:26
  • I tried even chmod 777, still nothing – chaplean Feb 16 '14 at 09:29
  • What if you `su --shell /bin/bash - test1` and then try to write there? – Halfgaar Feb 16 '14 at 09:31
  • The problem is when I write something under "su test1" everything is ok, but inside sftp is not – chaplean Feb 16 '14 at 09:50

2 Answers2

3

The exact one that has to be enabled is:

setsebool -P ssh_chroot_rw_homedirs on

I struggled with that for 2 days before I got that!!

HBruijn
  • 77,029
  • 24
  • 135
  • 201
Melvin
  • 31
  • 2
2

I think you need to enable some selinux bool, for more information about a selinux bools of a service, you can type from your shell man sftpd_selinux

 [root@worktux ~]# getsebool -a | grep sftp
 sftpd_anon_write --> off
 sftpd_enable_homedirs --> off
 sftpd_full_access --> off
 sftpd_write_ssh_home --> off
c4f4t0r
  • 5,301
  • 3
  • 31
  • 42
  • 1
    Thank you! It was selinux again. Typing `echo 0 > /selinux/enforce` temporarily solved the problem. – chaplean Feb 16 '14 at 14:14