Securing file system for secure SFTP server

Question

This might not seem as a development question, but in essence it is. Let me explain how. Our main development focus is dynamic content pages. Some of our customers have asked us to allow them space in our servers (which they pay) for their old static content. We use to accomplish this by giving the customer a ftp account to a different domain. (e.g. Customer domain is customer.com but they were accessing their static content through otherdomain.com/customerstatic).

Now we want to increase the security giving customers sftp accounts in their linux servers. I am using openssh/sftp-server in their shell environment so they are unable to log in or execute commands.

The problem is that by nature many file system files are by default (drwxr-xr-x) which means that any user will be able to read the content of the directory and possibly some files. I don't think that changing the whole file system to -rwxr-x--x is a wise move since I don't know how many system files will need that read permission.

Have someone confronted this issue in the past. If you have, could you enlighten the way?

Thanks

Good question and concise complete answer - a moderator should probably change the title and turn it into a non-wiki question. — MikeyB, May 27 '09 at 15:51

score 22 · Answer 1 · answered May 27 '09 at 15:25

22

SFTP by nature isn't insecure; letting them into your whole filesystem is. Check this out to see how you can enable SFTP access on a chroot basis, which will lock in the directories they can access to, say, their home directories, or wherever you want them to upload.

On Linux, I would pay attention to this part (configuring /etc/ssh/sshd_config):

  Match Group sftponly
         ChrootDirectory %h
         ForceCommand internal-sftp 
         AllowTcpForwarding no

This means that anyone in the 'sftponly' user group would be restricted to their home directories.

See the link for more, and also read the sshd_config manpage. Hope that helps.

answered May 27 '09 at 15:25

In addition, you may need to tell OpenSSH to use its `internal-sftp` when the client requests the sftp subsystem—it may have been set to use the external `sftp-server` program. To do this, add or change the line `Subsystem sftp internal-sftp` in the main section of the configuration file (not under the `Match` section). – Nate Oct 03 '09 at 13:29
Josh, did you ever figure out a way to make this not require root ownership of the users' home directories? – Matt Simmons Dec 01 '09 at 19:37

score 1 · Answer 2 · answered May 27 '09 at 15:50

1

This may be of interest - http://sublimation.org/scponly/wiki/index.php/Main_Page

Allowing you to restrict some users to scp only - and also optionally chroot'ing them.

answered May 27 '09 at 15:50

score 1 · Answer 3 · answered May 27 '09 at 16:09

When you say "Many filesystems are by default 755 permissions", that actually means the default umask is set to 022. You can change this default (for new files) by setting the umask to 027, which would make the default permissions 750, or set the umask to 007, which would make the default permissions 770.

score 0 · Answer 4 · answered May 27 '09 at 15:43

0

You might consider setting up an OpenVZ server, and then creating a separate small VM ftp/sftp 'container' for each company. This keeps them all separate, and once you get the hang of OpenVZ it really handy for these sort of small things.

answered May 27 '09 at 15:43

Kyle Brandt

82,107
71
302
444

Securing file system for secure SFTP server

4 Answers4

Linked