Linux User Management – How to Jail Users in a Directory

debianjaillinuxuser-managementusers

tree

I have a vps running debian OS and would like to create user accounts on it.

I want it so that when the user logs in with sftp, everything in var appears to be their home directory and they cannot cd out of it.

For example, when user3 logs in, they have access to everything in var (read, write, execute) but cannot view (cd) user1 or user2's personal stuff.

How would I go about doing this?

I think I have to do this in chroot, but I have no idea how this would work.

Thanks

Best Answer

The #1 problem that people encounter with chrooted SFTP is that OpenSSH, by default, requires that root owns the whole path to a given user's chroot directory. In other words, if you want to chroot someone into /home/someone, / must be owned by root and have permissions no wider than 0755, /home must be owned by root and have permissions no wider than 0755, and perhaps most surprisingly, /home/someone must be owned by root and have permissions no wider than 0755. In your case, you want to chroot people into /var (I'm not even going to ask), so you avoid this permissions problem, but in other cases where it's unavoidable, you may want to look into mount --bind.

As to the actual chrooting, you've got two options for how to go about it: either by group or by user. In either case, you'll edit the sshd_config file. For group-wide, it'll look like:

Match group sftponly
ForceCommand internal-sftp
ChrootDirectory /var
AllowTcpForwarding no

For per-user configuration, it'll simply be:

Match user sftpdude
ForceCommand internal-sftp
ChrootDirectory /var
AllowTcpForwarding no

Note that internal-sftp wasn't supported until OpenSSH version 5 or so, so you may have to compile a custom copy of OpenSSH if you don't have access to a v5 package.

Related Solutions

Is It Fair to Jail SFTP Users to Their Home Directory?

chrooting users using ssh is not a desirable configuration in most cases. When they're jailed into their home dir, they won't be able to use any programs outside their home dir. This makes unix almost unusable as a shell server.

You can use FTPS instead of SFTP/SCP, which will send passwords over SSL, but uses an ssh server, allowing you to chroot them for file transfer, but not for login (although little is gained if you only chroot their file transfers, and they will still be able to scp data from the machine).

Linux – Restricting directory access for a user in linux

Like zed said but you probably have service running which mean that it if you do this, these services will not be able to read theses files either if the service doesn't run under the user permission, which is rarely the case, most service runs under their own users.

ACL (Access control list) are what you may need. Here is the official doc http://centos.org/docs/5/html/Deployment_Guide-en-US/ch-acls.html

Follow the documentation by editing the /etc/fstab and remounting the partition then simply

setfacl -m d:o:--- /home/user1/
setfacl -m d:u:rwx /home/user1/

o for others, u for users.
Now retreive the acl :

getfacl /home/user1/

I recommend you read the docs and do some tests. Hope this helped.

Best Answer

Related Solutions

Is It Fair to Jail SFTP Users to Their Home Directory?

Linux – Restricting directory access for a user in linux

Related Topic