Ssh – How to allow write on SFTP only setup

freebsdsftpssh

I'm trying to setup FreeBSD 10 with an account that can SFTP, but not SSH.

I've got my sftponly group and my specific account is a member of that group. My sshd_config contains:

Match Group sftponly
ChrootDirectory /home/account
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

The /home/account is mode 755 with root:sftponly ownership. In this configuration I can login, list the directory, and "get" files but cannot upload files (write permission denied). If I change the account directory to 775 to give the sftponly group write permissions, then the login is blocked. What's the appropriate setup for allowing read AND write SFTP operations with SSH blocked?

Best Answer

Like the comment says OpenSSH is pretty strict about what permissions it allows on chroot directories (for good reasons). So the solution is to have a subfolder with the permissions you want to use for your particular case.

Related Solutions

Ubuntu – SFTP Fatal Bad Ownership or Modes for Chroot Directory

sshd has a certain level of paranoia when it comes to chroot directories. I do not think this can be disabled (even with StrictModes no). The chroot directory and all parent directories must be properly set:

The chroot directory and all of its parents must not have group or world write capabilities (ie chmod 755)
The chroot directory and all of its parents must be owned by root.

In your case the login error can be fixed with chmod 755 /home/DUMP Your apparent intent to have a world-writable directory that sftpuser can log into and everyone can put files in can be solved by making that directory a subdirectory of /home/DUMP/

Linux – Creating multiple SFTP users for one account

Our solution is to create a main user account for each customer, such as flowershop. Each customer can create an arbitrary number of side accounts with their own passwords, such as flowershop_developer, flowershop_tester, flowershop_dba, etc. This allows them to hand out accounts without sharing their main account password, which is better for a whole bunch of reasons (for example, if they need to remove their DBA's account, they can easily do that without changing their own passwords).

Each one of these accounts is in the flowershop group, with a home folder of /home/flowershop/. SSH uses this as the chroot directory (/home/%u, as shown in the configuration in the question).

We then use ACLs to enable every user in group flowershop to modify all files. When a new customer account is created, we set the ACLs as follows:

setfacl -Rm \
d:group:admin:rwx,d:user:www-data:r-x,d:user:$USERNAME:rwx,d:group:$USERNAME:rwx,\
  group:admin:rwx,  user:www-data:r-x,  user:$USERNAME:rwx,  group:$USERNAME:rwx \
/home/$USERNAME/

This does the following:

Gives group admin (for us, the hosting providers) rwx
Gives user www-data (Apache) r-x to the files*
Gives user $USERNAME rwx to the files
Gives group $USERNAME rwx to the files

This setup appears to be working well for us, but we are open to any suggestions for doing it better.

_{* we use suexec for CGI/PHP running as the customer account}

Best Answer

Related Solutions

Ubuntu – SFTP Fatal Bad Ownership or Modes for Chroot Directory

Linux – Creating multiple SFTP users for one account

Related Topic