3

I would like to achieve the following with OpenSSH's internal-sftp, chroot and Match directive:

Users belonging to group sftpuser should have read and write access to /srv/sftp/{username} (or similar, certain tricks to present a nicer looking directory structure to the chrooted user might be taken)

Users belonging to group sftpadmin should have read and write access to /srv/sftp and subdirectories, i.e. all the other user directories.

All the users belonging to either sftpadmin or sftpuser are sftp-only users. So no need to worry about shells etc.

/srv/sftp needs to be owned by root for the sftpadmin users to be chrooted to that folder. /srv/sftp/{username} also needs to be owned by root to chroot the sftpuser users to that that folder.

How should I best grant the sftpadmin users access to the root owned /srv/sftp/{username} directories?

Could I just use ACL on top of the root permissions?

Wuhtzu
  • 336
  • 2
  • 4
  • 8
  • The answer to "Could I just use ACL on top of the root permission?" is **no**. The OpenSSH chroot will not work if I give for example read permission to the sftpadmin group like this "setfacl -m g:sftpadmin:r--". Then the login to the server fails. So ACL on top of the root ownership of the chroot directory is no good. – Wuhtzu Apr 30 '14 at 08:39

1 Answers1

4

I ended up doing this:

/srv/sftp/testadmin (home dir of the testadmin user)

/srv/sftp/testuser/testuser (home of the testuser user)

The sftpadmin group I chrooted to /srv/sftp:

Match Group sftpadmin
    ChrootDirectory /srv/sftp
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

and the sftpuser group I chrooted to /srv/sftp/{username} and changed their starting directory to /srv/sftp/{username}/{username} (which is just /{username} seen from the chroot):

Match Group sftpuser
    ChrootDirectory /srv/sftp/%u
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp -d /%u

Finally I gave the sftpadmin group rwx on the /srv/sftp/testuser/testuser dir:

setfacl -m g:sftpadmin:rwx /srv/sftp/testuser/testuser

This roughly accomplished what I wanted. The sftpadmin group can read, write and change working directory to anything beneath /srv/sftp (including the "home dirs" of the sftpuser group). The sftpuser group can only write to /srv/sftp/{username}/{username} directory and not see the other sftpuser home dirs since they are located outside the chroot for the sftpuser group.

The only think undesirable about this is /srv/sftp/{username}/{username} structure. A user of the sftpuser group can do cd .. and get back to /srv/sftp/{username} where said user can do nothing useful except change back to /srv/sftp/{username}/{username}. The changing directory to /srv/sftp/{username} could be prevented by removing the execute bit for /srv/sftp/{username} but that would also prevent the sftpadmin group for changing to that directory and hence effectively preventing them from listing files etc. in the /srv/sftp/{username}/{username} dir.

Wuhtzu
  • 336
  • 2
  • 4
  • 8