14

I just set up my SFTP server and it works fine when I use it from my first user account. I wanted to add a user which we will call 'magnarp'. At first I did like this in sshd_config:

Subsystem sftp internal-sftp


Match group sftponly
    ChrootDirectory /home/%u
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp

That worked fine enough, user magnarp went into his home directory. I then tried to add a symbolic link to it.

home$ sudo ln -s /home/DUMP/High\ Defenition/ /home/magnarp/"High Defenition"

The symlink worked fine via SSH but not over SFTP.

So what I want to do now is to Chroot group sftponly to /home/DUMP and i did like this:

Match group sftponly
    ChrootDirectory /home/DUMP
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp

The DUMP folder have permissions as follows.

drwxrwxrwx  5 root     root      4096 aug 18 02:25 DUMP

And this is the error code:

Aug 18 16:40:29 nixon-01 sshd[7346]: Connection from 192.168.1.198 port 51354
Aug 18 16:40:30 nixon-01 sshd[7346]: Accepted password for magnarp from 192.168.1.198 port 51354 ssh2
Aug 18 16:40:30 nixon-01 sshd[7346]: pam_unix(sshd:session): session opened for user    magnarp by (uid=0)
Aug 18 16:40:30 nixon-01 sshd[7346]: User child is on pid 7467
Aug 18 16:40:30 nixon-01 sshd[7467]: fatal: bad ownership or modes for chroot directory "/home/DUMP"
Aug 18 16:40:30 nixon-01 sshd[7346]: pam_unix(sshd:session): session closed for user magnarp
Jonathan
  • 143
  • 1
  • 1
  • 4

2 Answers2

27

sshd has a certain level of paranoia when it comes to chroot directories. I do not think this can be disabled (even with StrictModes no). The chroot directory and all parent directories must be properly set:

  1. The chroot directory and all of its parents must not have group or world write capabilities (ie chmod 755)
  2. The chroot directory and all of its parents must be owned by root.

In your case the login error can be fixed with chmod 755 /home/DUMP Your apparent intent to have a world-writable directory that sftpuser can log into and everyone can put files in can be solved by making that directory a subdirectory of /home/DUMP/

DerfK
  • 19,313
  • 2
  • 35
  • 51
  • 1
    Worked like a charm! Thank you. Now I just have to fix all the sub-directories and my NFS system as well :) – Jonathan Aug 18 '12 at 15:23
0

A) What would be the point of making chroot if making simlinks would help evading the chroot? (Any user could upload a simlink and then get access to the whole filesystem)

B) One more chmod 777 and you will get flammed by theo (http://rlv.zcache.com/i_got_flamed_by_theo_de_raadt_t_shirt_tshirt-p235453348828729121en7rf_210.jpg). See http://lists.mindrot.org/pipermail/openssh-unix-dev/2010-January/028151.html to understand why openssh is so picky about chroot directory permissions.