-
-
Save aussielunix/859768 to your computer and use it in GitHub Desktop.
| add the following to `sshd_config` | |
| Subsystem sftp internal-sftp | |
| Match User foo | |
| ChrootDirectory /home/foo | |
| AllowTCPForwarding no | |
| X11Forwarding no | |
| ForceCommand internal-sftp | |
| Run the following shell commands: | |
| chown root:root /home/foo | |
| mkdir /home/foo/data | |
| chown foo:foo /home/foo/data | |
| Now when the `foo` user sftp's in they will be chroot`ed to their $HOME but only have permission to upload files to $HOME/data | |
Thanks.
This is working fine on a Ubuntu Lucid box.
I'll check it out for future reference so I don't get any surprises.
NP. The reference is http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2904 . After that, they made the change that I mentioned. Basically, that's how it is now in RHEL5/6.
G`Day
From what I can tell, what i am doing isn't affected by the patch/exploit you mention.
ChrootDirectory /home/foo
chown root:root /home/foo
I am setting the chroot to the home and setting the owner of that home to root (not the user logging in)
Then to give write perms to the user I create a user owned directory below chroot that they have to change into first to be able to write.
mkdir /home/foo/data
chown foo:foo /home/foo/data
Cheers
Mick
Oh, sorry, my bad. I actually missed the fact that you were chown'ing the $HOME to root:root ! This takes care of the problem that I mentioned above.
Being inattentive doesn't pay off...
This will not work with recent secure OpenSSH versions, because the chroot shouldn't be user-owned and writeable. You need to create a separate chroot outside of home.