I've set up a simple SFTP server on Ubuntu 18.04. I have 10 users that should only have access to the files in their home directories and they should not be able to get out of their home directory.
We have an API that is writing files to their home directories.
So far, so good.
The users can login, retrieve the files, and are constrained to their own directories. They cannot, however, remove the files. Any 'rm' command returns a permissions error – Couldn't delete file: Permission denied.
The user/group for the folder is root:www-data. If I change it to user:www-data SFTP breaks – they can't login. I created a group 'sftp' but again if I add the user to the sftp group, change the home directory to user:sftp they can't login.
Here's what the home folder looks like:
drwxr-xr-x 2 root www-data 172032 Feb 6 14:19 29
drwxr-xr-x 2 root www-data 135168 Feb 6 14:17 52
drwxr-xr-x 4 root www-data 69632 Feb 6 14:15 44
drwxr-xr-x 2 root www-data 36864 Feb 6 14:14 68
My sftp config from /etc/ssh/sshdconfig is:
Match group sftp
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
My users are set up like this:
29:x:1002:1001::/home/26:/bin/sh
44:x:1003:1003::/home/44:/bin/sh
52:x:1004:1004::/home/52:/bin/sh
68:x:1005:1005::/home/29:/bin/sh
My sftp group is:
sftp:x:1001:26,44
Best Answer
Apart the user naming problem, which should be corrected, but probably has no influence on your use case, your configuration must satisfy two incompatible contraints:
Therefore you need to create a directory inside
/home/user
, which will be owned by the user. A prime choice is/home/user/home/user
to which sftp will go after logging in.Summarizing, if you have users like this:
you just need to create some directories:
The setgid on users homes might be useful for your scripts (which run as
www-data
I assume). You might also consider setting theumask
for sftp:PS: I can not understand, why many people insist to administratively prohibit users to access each other's home directories. A sound default permission on the home directory (e.g.
700
) and umask (077
) should be enough. Those who know what they are doing can change their permissions.