0

I am trying to create a new user and restrict his access to only a single folder in /usr/local/. So I did some google and followed the following steps.

groupadd controlgroup1
cd /usr/local
mkdir controlfolder1
chmod g+rw controlfolder1/
chgrp -R controlgroup1 controlfolder1/
useradd control1
passwd control1
gpasswd -a control1 controlgroup1

I went into /etc/sshd_config and toward the end of the file I added this 

Match Group controlgroup1
# Force the connection to use SFTP and chroot to the required directory.
ForceCommand internal-sftp
ChrootDirectory /usr/local/controlfolder1/
# Disable tunneling, authentication agent, TCP and X11 forwarding.
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no

I restarted ssh: systemctl restart sshd.

So when I tried to login the control1 user I saw this in the log file ?

Code:
Accepted password for control1 from 192.168.1.8 port 52912 ssh2
May  5 14:12:47 localhost sshd[2639]: pam_unix(sshd:session): session opened for user control1 by (uid=0)
May  5 14:12:47 localhost sshd[2639]: fatal: bad ownership or modes for chroot directory component "/usr/local/controlfolder1/" [postauth]
May  5 14:12:47 localhost sshd[2639]: pam_unix(sshd:session): session closed for user control1

I have ensure control1 one is the owner of it .

ls -ld controlfolder1/
drwxrwxr-x. 2 control1 controlgroup1 6 May 5 13:58 controlfolder1/

I have followed the step but I have a new issue on the "chown -R control1:controlgroup1 /usr/local/controlfolder1/control1" . So this is different. I also want to give ssh access not just sftp ? I hope this will clear the duplication error.

user5313398
  • 111
  • 1
  • 5
  • No now I am facing different issue as you can refer below on the comments issue on the error fatal: safely_chroot: stat("/usr/local/controlfolder1/control1/"): Permission denied [postauth] – user5313398 May 07 '17 at 02:23
  • That is different story and known bug in CentOS 7.3. The folder `/usr/local/controlfolder1` needs to have search bit for others set: `chmod o+x /usr/local/controlfolder1`. – Jakuje May 07 '17 at 06:34
  • @Jakuje so is a bug in centos 7.3 ? So for other centos I mean say 6.8 what must I set ? Will the user have shell access in this scenario? – user5313398 May 07 '17 at 17:19

1 Answers1

2

The problem is, that sshd requires the chroot directory to be owned by root with only root having write permissions. So you would have to set control1's home directory to /usr/local/controlfolder1/control1, for example and set

chown root:root /usr/local/controlfolder1 chmod 700 /usr/local/controlfolder1 chown -R control1:controlgroup1 /usr/local/controlfolder1/control1

Source: https://wiki.archlinux.org/index.php/SFTP_chroot#Troubleshooting

PaterSiul
  • 246
  • 1
  • 6
  • once I give this access he can just ftp in rite ? Can he also get shell access to view just this folder and run e.g. compile the java ? – user5313398 May 06 '17 at 20:06
  • I saw you created another folder control1? Who will create that folder control1 or root? so in the sshd_config what to be changed? – user5313398 May 06 '17 at 20:10
  • I am getting now this error fatal: safely_chroot: stat("/usr/local/controlfolder1/control1/"): Permission denied [postauth] – user5313398 May 06 '17 at 20:16
  • you create the folder as root and then change permissions with "chown -R control1:controlgroup1 /usr/local/controlfolder1/control1" – PaterSiul May 06 '17 at 20:38
  • Yes I did that but yet I am receiving this error. Here is my ls -ld results. ls -ld controlfolder1/ drwx------. 3 root root 22 May 6 16:11 controlfolder1/. ls -ld controlfolder1/control1/ drwxr-xr-x. 2 control1 controlgroup1 6 May 6 16:11 controlfolder1/control1/. You can see the control1 folder is own by control1.controlgroup1 ? Why I am still getting the permission error ? – user5313398 May 07 '17 at 02:20
  • Hm. You could try disabling selinux like [here](https://www.centos.org/forums/viewtopic.php?t=9009#p41743) also, it seems like there was a bug in older versions of openssh that only checked for the primary group of the user. Try running `usermod -g controlgroup1 control1` – PaterSiul May 08 '17 at 17:07
  • I tried your commands on centos 6.9 first the user could not go into the folder. Now he could go but he could see all other folders and access them so it defeat the whole purpose of the chrooting? – user5313398 May 08 '17 at 17:56
  • If the other subfolders of `/usr/local/controlfolder` are also readable for group controlgroup1, then yes. – PaterSiul May 08 '17 at 18:06
  • now the user could browser everything on the machine usr ,bin, root all folder he can access without issue on centos 6.9. – user5313398 May 09 '17 at 03:03