I am trying to configure a SFTP server for some automated backups. I configured an Ubuntu 14.04 server and have had partial success. The idea I'm looking to do is this:
- A user will be created for each particular system to be backed up. SFTP only.
- The user will be Chrooted and not be able to read or write outside their home directory.
- The user's home will be the "root" once logged in.
- The user will be able to upload files to the root. (This is where I'm stuck.)
I used the following snippet to create the Chroot in sshd_config like this:
Match Group sftpbackup
ChrootDirectory /srv/sftpbackup/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Then I set the permissions on /srv/sftpbackup as per the requirements.
# ls -l
total 4
drwxr-x--- 3 root sftpbackup 4096 Jan 5 15:29 user1
#
Now, the user can login but cannot upload files (Permission Denied). If I change the directory ownership to look like this:
# ls -l
total 4
drwxrwx--- 3 user1 sftpbackup 4096 Jan 5 15:29 user1
#
Then the user cannot login, from auth.log:
sshd[14835]: fatal: bad ownership or modes for chroot directory "/srv/sftpbackup/user1"
It seems like, if the user's home directory is the SFTP chroot, root must own the directory, thus a subdirectory must be created so that the user can write to it.
Is there anyway to make the root writeable? Looking at various websites, it appears that there is no way to achieve what I want. I don't quite understand though what the difference is between having the chroot dir writeable by the user and having a subdirectory writeable. Insights would be appreciated.
Note: My goal is to create a server where backups can be stored by various devices. The devices will be configured by a third-party vendor, thus I'm trying to keep things as simple (one user name per device, all files go to the "root" once logged in) and secure (the users created will have minimal rights to the server) as possible. Apologies if my desires are a bit rigid.
