CentOS SFTP chroot

I've some issues chrooting an SFTP access for a client.

I can access the directory, but the problem is I can't read / write, I can just access the directory.

Below is what I've done :

# cat /etc/passwd | grep comege
comege:x:1001:1001::/home/sftp/comege/home/:/sbin/nologin

# cat /etc/group | grep sftp
sftp-only:x:1001:

# sshd_config
Subsystem sftp internal-sftp
Match Group sftp-only
ChrootDirectory /home/sftp/%u
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

SELinux is set on permissive for testing purposes.

When I connect to the server using SFTP I get the following error :

Error listing directory '/'. Permission denied

Permissions :

/home/sftp/comege and parent directories belongs to root:root.

/home/sftp/comege/home belongs to comege:sftp-only

I think the issue is comege isn't redirected to /home/sftp/comege/home on connection, so it gets to /home/sftp/comege which belongs to root hence the lack of permissions (?)

Loïc

Posted 2016-07-12T15:11:11.690

Reputation: 25

Answers

It looks like the permissions for the chroot directory, /home/sftp/comege, are not set to allow read access by the comege user.

Permissions on /home/sftp/comege should look like this:

# ls -la /home/sftp/comege
total 0
drwxr-xr-x 1 root   root       8 Jul 19 12:00 .
drwxr-xr-x 1 root   root      12 Jul 19 11:59 ..
drwx------ 1 comege sftp-only 76 Jul 19 12:00 home

Change the permissions with:

# chmod 755 /home/sftp/comege

Note this does not take into account SELinux permissions.

By design, an SFTP session in a chrooted environment will start with the user in the chroot "jail" which must be owned by root. It's intended that the user will only write to files in subdirectories of the top-level root directory. One convention is to create a subdirectory called "incoming" for user uploads instead of the "home" directory shown in the original example.

Stephen Balousek

Posted 2016-07-12T15:11:11.690

Reputation: 274