0

I have an Ubuntu server with several sites on it.

I would like to create SFTP accounts for my developers and give them access to only a single website.

For example developer_A would only have access to website_A developer_b would only have access to website_B

I created the users, set their home folders to website_A and website_B respectivaly and then used chown to make them the owners of website_A and website_B.

The problem is that the developers can still navigate outside of their home folders and access all the folders one level up (with just read permission and nothing else).

Is there a way to prevent the developers from viewing any other folder outside of their home directory? (so for developer_A, I want him to be stuck in /html/website_A)

If tried with Match User in sshd_confing like so:

Match User developer_A
    ChrootDirectory /html/website_A
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

but once I do that, I can no longer connect to the server with that user, even though /html is owned by root and nobody else has write permission to /html.

Is there a simple way to achieve what I'm looking for? Any help is appreciated. Thanks in advance!

SelectStament767
  • 3
  • 1
  • 1
    Possible duplicate of [fatal: bad ownership or modes for chroot directory component "/" in SFTP](http://serverfault.com/questions/730305/fatal-bad-ownership-or-modes-for-chroot-directory-component-in-sftp) – Jakuje Apr 05 '17 at 06:42
  • Also `/html/website_A` needs to be root owned and not writable by anyone else or you should `chroot` to `/html/` only. – Jakuje Apr 05 '17 at 06:42
  • Thanks for the answer Jakuje. If I make /html/website_A owned by root and not writable by anyone else, then how will developer_A have full permissions inside that folder? – SelectStament767 Apr 05 '17 at 14:38

1 Answers1

0

Also /html/website_A needs to be root owned and not writable by anyone else or you should chroot to /html/ only. This is requirement for the chroot and you can't workaround it in OpenSSH, otherwise the server would be vulnerable to CVE-2009-2904.

User can't have write permissions to root of his chroot. Period.

Jakuje
  • 9,715
  • 2
  • 42
  • 45
  • Thanks for the explanation! So if I understood this correctly, /html/website_A will be owned by root and writable only by root. The content of /html/website_A can then be owned by developer_A and he can have write permissions on all the content inside /html/website_A but not on the actual /html/website_A folder. – SelectStament767 Apr 05 '17 at 19:56
  • Exactly as you write. – Jakuje Apr 06 '17 at 08:25