0

I'm trying to Chroot a user name rasportine to a folder. I followed a tutorial and modified the sshd_config file by adding

Match User rasportine
ChrootDirectory /var/www/clubs/rasportine
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no

I think the access rights of the folders are right, the result of ls -ld is

drwxr-xr-x 4 root root 4096 Dec 24 12:05 rasportine

But when I try to connect with filezilla to the server using rasportine account this error appears in the logs.

pam_unix(sshd:session): session opened for user rasportine by (uid=0)
fatal: bad ownership or modes for chroot directory component "/"

How can I get rasportine to log directly in this folder so that he can only access this one?

Thanks.

arthurM
  • 1
  • 1

1 Answers1

1

Chroot on ssh is a pretty severe config change. You are genuinely using chroot on the login command, which means the chroot directory has to have everything the user needs to interact with the system.

Here's a tutorial about that:

http://allanfeid.com/content/creating-chroot-jail-ssh-access

Here's a link that discusses that exact error message:

https://wiki.archlinux.org/index.php/SFTP_chroot#Troubleshooting

Keep in mind that '/' might mean '/var/www/clubs/rasportine' depending on when in the chroot process you are. Also, maybe '/' really does have permissions/ownership issues.

Dylan Martin
  • 548
  • 4
  • 14
  • 1
    Thanks for your answer. I followed a tutorial just like this one for an apache server. The thing is that despite what's written on sshd_config, the error says that the user tries to access "/" and not "/var/www/clubs/rasportine". – arthurM Jan 25 '17 at 22:53
  • When debugging chroots assume that the chroot path and / are equal in error messages. If you get an error message before the chroot system call is called, it'll have the full path. If an error is triggered after the system call then it'll have the new path. It's really kind of annoying. As an aside, I seem to remember that you can sftp to chrooted users without have /bin/bash present or anything like that. You could use that to test the login maybe? – Some Linux Nerd Jan 25 '17 at 23:55
  • Ok, that explains why the error is about '/'. But I triple-checked the access rights and I can't find why the ownership or modes should be wrong. – arthurM Jan 26 '17 at 07:57