How to not allow user outside of home directory with SFTP

4

4

I'm running Ubuntu 10.04. I have users' home directories set, but I want to restrict them to their home directory and its children when they are connecting via SFTP.

In other words: not allowing them to move outside out of it.

What do I have to do to achieve this?

Janis Peisenieks

Posted 2011-12-23T12:12:29.817

Reputation: 171

Do you mean you don't want them to be able to run anything in /bin and /usr/bin? So no shell, gui or any traditionally user accessible commands? – Paul – 2011-12-23T12:16:10.810

What do you want to achieve? E.g. restrict access to home directory in FTP or SFTP? – Daniel Beck – 2011-12-23T12:18:01.607

I meant in ftp. Edited accordingly – Janis Peisenieks – 2011-12-23T12:21:12.580

-1 Question does not show any research effort.

– Daniel Beck – 2011-12-23T12:26:51.607

1Dangit, I meant sftp. Don't have ftp installed. – Janis Peisenieks – 2011-12-23T12:47:13.927

There's a reason I asked, you know. – Daniel Beck – 2011-12-23T13:12:41.103

Answers

9

FTP

From the Ubuntu documentation:

Securing FTP

There are options in /etc/vsftpd.conf to help make vsftpd more secure. For example users can be limited to their home directories by uncommenting:

chroot_local_user=YES

You can also limit a specific list of users to just their home directories:

chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list

After uncommenting the above options, create a /etc/vsftpd.chroot_list containing a list of users one per line. Then restart vsftpd:

sudo /etc/init.d/vsftpd restart

SFTP

Edit /etc/ssh/sshd_config:

Set subsystem sftp internal-sftp if necessary.

Add the following:

Match user theUserName
    ChrootDirectory %h
    ForceCommand internal-sftp

Save and test the configuration by running sshd -t. If this is successful, restart ssh afterwards to apply changes.

Depending on your exact setup, the folder you specify as ChrootDirectory (%h is the user's home) must be owned by root with no write permissions for others. So it's not exactly a real home directory.

Daniel Beck

Posted 2011-12-23T12:12:29.817

Reputation: 98 421

A wonderful solution, the gem inside is the internal-sftp module! I was not aware ssh has sftp built in, by using internal sftp you do not have to create a whole library subsystem around the sftp binary when chrooting. Hasslefree and more elegant. – John – 2015-11-20T13:41:54.963

Thanks! I tried this, and what happens is - the user cant connect anymore. FileZilla say's Server unexpectedly closed network connection – Janis Peisenieks – 2011-12-23T17:55:35.920

@JanisPeisenieks Cannot connect anymore using SSH, SCP or SFTP? – Daniel Beck – 2011-12-23T17:57:16.400

SFTP and SSH. Don't use SCP, so cant confirm – Janis Peisenieks – 2011-12-23T18:08:24.883

1@JanisPeisenieks SSH will no longer work, as the user has no access anymore to his login shell installed outside his chroot'ed home directory. You'd need to copy the required programs and libraries over to make them available. Try reading up on chroot, it really behaves in a similar way. Regarding the SFTP problem, check the log files if you haven't already done so. I suspect it's a permissions issue like I mentioned in the last paragraph of my post. – Daniel Beck – 2011-12-23T18:10:48.717

What I'm geting is bad ownership or modes for chroot directory component "/srv/www/" – Janis Peisenieks – 2011-12-23T23:09:09.513

@JanisPeisenieks Have you read and understood the last paragraph of my answer? – Daniel Beck – 2011-12-24T04:49:21.470

Asked: 2011-12-23T12:12:29.817

Viewed: 44 610 times

Active: 2014-11-22T15:52:23.210