Thursday, May 9, 2024
Homepage · permissions
 Popular · Latest · Hot · Upcoming
4
rated 0 times [  4] [ 0]  / answers: 1 / hits: 5662  / 1 Year ago, sat, january 14, 2023, 4:16:35

I really need some help, I have been trying to jail a user using ubuntu.



Thing to note:




  1. james is the user

  2. sshusers is the group

  3. /home/james/upload/ is the directory where I wish to lock user



sshd_config:



AllowGroups sshusers 



Match Group sshusers

    ChrootDirectory /home/%u/upload/

    ForceCommand internal-sftp


I followed an answer on askubuntu , here are my commands 



sudo chown root /home/james

sudo chmod go-w /home/james

sudo mkdir /home/james/upload

sudo chown james:sshusers /home/james/upload

sudo chmod ug+rwX /home/james/upload


Problem:



I get this error



Error:  Network error: Software caused connection abort

Error:  Could not connect to server


I investigated in the logs, and I found this:




fatal: bad ownership or modes for chroot directory component
"/home/james/upload/"




But if I run the following commands



sudo chown root /home/james/upload

sudo chmod go-w /home/james/upload


It works perfect , user can connect, folder is locked BUT cannot drop files in the directory



Status: Listing directory /

Status: Directory listing successful

Status: Starting upload of C:UsersProgramAppDataLocalTempz3temp-1empty_file_yq744zm

Command:    put "C:UsersProgramAppDataLocalTempz3temp-1empty_file_yq744zm" "test"

Error:  /test: open for write: permission denied

Error:  File transfer failed


Please advice, I have search google so much all the links are purple now (visited :P)



I'm using filezilla client to test SFTP.


More From » permissions
 Answers
3

The ChrootDirectory directive expects that the chroot directory be owned by root, and not writable by anybody else. So you cannot jail a user to a directory and allow the user permission to write to that directory. You can:



Chroot to home, upload to upload/



The first set of commands you tried are correct for this:



sudo chown root /home/james

sudo chmod go-w /home/james

sudo mkdir /home/james/upload

sudo chown james:sshusers /home/james/upload

sudo chmod ug+rwX /home/james/upload


However, the option in sshd_config would be:



Match Group sshusers

    ChrootDirectory %h

    ForceCommand internal-sftp


(%h is replaced by the home directory of the user being authenticated, equivalent to /home/%u for most cases.)
In addition, to limit the visibility of folders in /home/james, and restrict write permission there, use the recursive options for chown and chmod in the first command for /home/james, and remove read permissions. The modified set would look like:



sudo chown root /home/james -R 

sudo chmod go-rwx /home/james -R  # Disallow traversing any directory in home 

sudo chmod go+x /home/james       # Allow traversing this directory

sudo mkdir /home/james/upload

sudo chown james:sshusers /home/james/upload

sudo chmod ug+rwx /home/james/upload


Now the user should only be able to access /home/james/upload, or /upload.



Chroot to upload, upload to upload/some_directory



Pretty much the same as above, replacing /home/james/ with /home/james/upload, and /home/james/upload with /home/james/upload/some_directory. No particular gains.



Change the home directory of james to /upload



The usual behaviour of ChrootDirectory is: "After the chroot, sshd(8) changes the working directory to the user's home directory."
So we change james's home directory:



usermod -d /upload  user


Then set the ChrootDirectory to /home/%u. Use the same restrictions in the first option.


[#23146] Sunday, January 15, 2023, 1 Year  [reply] [flag answer]
Only authorized users can answer the question. Please sign in first, or register a free account.
enincroscope
Add To Favorites
Follow
Total Points: 252
Total Questions: 124
Total Answers: 104
Location: Tajikistan
Member since Thu, Apr 14, 2022
2 Years ago
;