1

I'm trying to set up an upload directory on my server, and having the hardest time doing so. Uploads to the directory need to be accessible to all other users on the system, but the user account that is to be used for uploading should have no access at all (aside from uploading, that is), so I'm chrooting the uploaduser account to their own directory only. I'm using FTP over SSH because of policy considerations, and I've got the following setup:

UPLOAD DIRECTORY:

 /var/uploads/uploaduser/

(I'm using this because the uploaduser account is not a regular account and should not be treated as such; however, I'm wide open to other suggestions as to how to go about doing this.)

Permissions are set as follows:

/var/
drwxr-xr-x  25 root root  4096 Mar 30 10:04 var/

/var/uploads
drwxr-xr-x  3 root root 4096 Mar 23 12:22 uploads/

/var/uploads/uploaduser
drwx---r-x  3 root root 4096 Apr  4 10:14 uploaduser/

Now, when I use FileZilla or any other client to upload files to the uploaduser directory, I get a "permission denied" error. HOWEVER, if I change the ownership of the uploaduser directory or change its permissions, I get this error:

Couldn't read packet: Connection reset by peer

It seems to be a "damned if you do/damned if you don't" situation.

I've got the following setup in /etc/ssh/sshd_config:

Match user uploaduser
ChrootDirectory  /var/uploads/destiny/
AllowTcpForwarding no
X11Forwarding no
ForceCommand internal-sftp

I'm using VSFTP and it's working just fine for all other applications involving FTP over SSH.

ETA: I'm using an Amazon EC2 instance as my webserver, and it's running the Amazon Linux AMI.

Jakuje
  • 9,715
  • 2
  • 42
  • 45
Richard Scott Crawford
  • 51
  • 1
  • 1
  • 7

1 Answers1

2

I'm just learning this myself right now and think I've just got ovr the hump you have come to.

Firstly, your upload directory does not match your ChrootDirectory. I'm going to assume this is a typo.

Some things I've come to learn:

  • VSFTP is not used when configuring SFTP
  • SFTP is SSH using SSH's built in SFTP (internal-sftp)

Now using ChrootDirectory...

  • The path must exist
  • The directory must have root user and group (root:root)
    • Which yours does
    • Beause of this the SFTP user cannot write anything in this directory
  • Create another directory inside ChrootDirectory called content (for example)
    • This directory must have uploaduser (SFTP user) as user and group (uploaduser:uploaduser)
    • I think this is the part you are missing
  • You may want to change your initial directory structure as the uploaded content will now be in /var/uploads/uploaduser/content

From my understanding...

  • The user won't be able to get out of the ChrootDirectory
    • Also known as a jail I believe!
  • I haven't found a way to create a jail where the jail root is writable (yet)
  • I have contemplated making a user have access to a current root:root directory but they will still be able to see all the content
    • If I used /home they would be able to see all the user directories (without access privileges though)

Hope this helps. If anyone knows how to make the jail writeable I'd be interested to know!

parmar84
  • 121
  • 3
  • That all makes sense, thanks. I went ahead and disabled VSFTP entirely and worked with SSH. I also had to create a subfolder within /uploads/, and that subdirectory was accessible by the user. – Richard Scott Crawford Apr 06 '17 at 19:08