Created
March 8, 2011 02:51
-
-
Save aussielunix/859768 to your computer and use it in GitHub Desktop.
chroot a sftp only user with openssh 5
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
add the following to `sshd_config` | |
Subsystem sftp internal-sftp | |
Match User foo | |
ChrootDirectory /home/foo | |
AllowTCPForwarding no | |
X11Forwarding no | |
ForceCommand internal-sftp | |
Run the following shell commands: | |
chown root:root /home/foo | |
mkdir /home/foo/data | |
chown foo:foo /home/foo/data | |
Now when the `foo` user sftp's in they will be chroot`ed to their $HOME but only have permission to upload files to $HOME/data | |
NP. The reference is http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2904 . After that, they made the change that I mentioned. Basically, that's how it is now in RHEL5/6.
G`Day
From what I can tell, what i am doing isn't affected by the patch/exploit you mention.
ChrootDirectory /home/foo
chown root:root /home/foo
I am setting the chroot to the home and setting the owner of that home to root (not the user logging in)
Then to give write perms to the user I create a user owned directory below chroot that they have to change into first to be able to write.
mkdir /home/foo/data
chown foo:foo /home/foo/data
Cheers
Mick
Oh, sorry, my bad. I actually missed the fact that you were chown'ing the $HOME to root:root ! This takes care of the problem that I mentioned above.
Being inattentive doesn't pay off...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks.
This is working fine on a Ubuntu Lucid box.
I'll check it out for future reference so I don't get any surprises.