Ubuntu – User can access to only one directory with scp

file-permissionspermissionsscpsshUbuntu

I want to create a user for my Ubuntu server. I will use this user to copy some files from server to my local computer. So permissions should be really limited. This user can only reach to /some/path directory in the server and read files. Nothing more.

To achieve this, I've created a user:

sudo useradd scp_user -M -d /some/path
sudo groupadd scp_group
sudo usermod scp_user -g scp_group
sudo usermod scp_user -s /bin/false  # disable ssh login
sudo chown -R scp_user:scp_group /some/path

And in my ssh config file:

Match Group scp_group
    ChrootDirectory %h
    #ForceCommand scp 
    AllowTcpForwarding no

But getting an error:

scp scp_user@IP:/some/path/test.zip test.zip
scp_user@IP's password:
Could not chdir to home directory /some/path: No such file or directory
/bin/false: No such file or directory

Can you please tell me which step I'm missing?

Best Answer

In your question there is various flaws, as already pointed out by others:

The ChrootDirectory jails your user in his home directory
In that directory, there is no /bin/false executable (nor /bin/scp that would be needed for the scp itself).

You can either:

Copy scp binary and its required dynamically loaded libraries into the chroot (users home directory)
Change the users shell back to /bin/bash or /bin/sh
Copy bash or sh binary and its required dynamically loaded libraries into the chroot (users home directory)
(this is awful ...)

Or just use sftp:

Specify Subsystem sftp internal-sftp (and possibly ForceCommand internal-sftp) in the sshd_config
Restart sshd server

You might also encounter some problems with permissions (read the errors in the server log!).

Related Solutions

Linux SCP – Can SCP Copy Directories Recursively?

Yup, use -r:

scp -rp sourcedirectory user@dest:/path

-r means recursive
-p preserves modification times, access times, and modes from the original file.

Note: This creates the sourcedirectory inside /path thus the files will be in /path/sourcedirectory

SSH Rsync – ForceCommand Error: Connection Unexpectedly Closed

The why is easy... ForceCommand does exactly what it says: You connect, it forces you to run that command no matter what you actually wanted to do. In this case, that command is /usr/bin/rsync with no flags.

rsync works by running another copy of rsync on the other side of the connection and talking to it over ssh. In this case though, it's unable to start the other side with the flags it needs because the command is replaced by /usr/bin/rsync

Your rsync-validate script is probably the best way to go about this. It checks the request to make sure it is a valid rsync server command, and only then does it run it. rsync probably could be modified to check the $SSH_ORIGINAL_COMMAND directly when its run without arguments, but there's probably a good security reason not to do so.

Best Answer

Related Solutions

Linux SCP – Can SCP Copy Directories Recursively?

SSH Rsync – ForceCommand Error: Connection Unexpectedly Closed

Related Topic