Ssh – openssh sftp chroot: two levels of access

chrootsftpssh

I would like to achieve the following with OpenSSH's internal-sftp, chroot and Match directive:

Users belonging to group sftpuser should have read and write access to /srv/sftp/{username} (or similar, certain tricks to present a nicer looking directory structure to the chrooted user might be taken)

Users belonging to group sftpadmin should have read and write access to /srv/sftp and subdirectories, i.e. all the other user directories.

All the users belonging to either sftpadmin or sftpuser are sftp-only users. So no need to worry about shells etc.

/srv/sftp needs to be owned by root for the sftpadmin users to be chrooted to that folder. /srv/sftp/{username} also needs to be owned by root to chroot the sftpuser users to that that folder.

How should I best grant the sftpadmin users access to the root owned /srv/sftp/{username} directories?

Could I just use ACL on top of the root permissions?

Best Answer

I ended up doing this:

/srv/sftp/testadmin (home dir of the testadmin user)

/srv/sftp/testuser/testuser (home of the testuser user)

The sftpadmin group I chrooted to /srv/sftp:

Match Group sftpadmin
    ChrootDirectory /srv/sftp
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

and the sftpuser group I chrooted to /srv/sftp/{username} and changed their starting directory to /srv/sftp/{username}/{username} (which is just /{username} seen from the chroot):

Match Group sftpuser
    ChrootDirectory /srv/sftp/%u
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp -d /%u

Finally I gave the sftpadmin group rwx on the /srv/sftp/testuser/testuser dir:

setfacl -m g:sftpadmin:rwx /srv/sftp/testuser/testuser

This roughly accomplished what I wanted. The sftpadmin group can read, write and change working directory to anything beneath /srv/sftp (including the "home dirs" of the sftpuser group). The sftpuser group can only write to /srv/sftp/{username}/{username} directory and not see the other sftpuser home dirs since they are located outside the chroot for the sftpuser group.

The only think undesirable about this is /srv/sftp/{username}/{username} structure. A user of the sftpuser group can do cd .. and get back to /srv/sftp/{username} where said user can do nothing useful except change back to /srv/sftp/{username}/{username}. The changing directory to /srv/sftp/{username} could be prevented by removing the execute bit for /srv/sftp/{username} but that would also prevent the sftpadmin group for changing to that directory and hence effectively preventing them from listing files etc. in the /srv/sftp/{username}/{username} dir.

Related Topic