Solved

Hide Home Directories in CHROOT Jail

Posted on 2012-12-31
4
500 Views
Last Modified: 2013-01-03
Hello,

I have a CHROOT jail for SFTP users that's working well but there's one thing that bugs me and I'd like to try to fix it if I could.  

I have the following in my /etc/ssh/sshd_config file:

Subsystem sftp internal-sftp

Match group sftponly
        ChrootDirectory /home
        AllowTcpForwarding no
        X11Forwarding no
        ForceCommand internal-sftp

When I want to add an sftponly user I perform the following steps:

# useradd username
# passwd username
# usermod -g sftponly username
# mkdir /home/username
# chown username /home/username
# chmod 700 /home/username

This allows sftp only access to the user and they only have permissions to read and write in their own directory but, they can see a list of all of the other users directories in /home.  

I would prefer it if when an sftponly user logs in via SFTP, only their home directory is visible or, something runs when they login via an SFTP client that automatically changes their directory and dumps them in their home folder.  

I'm open to other ideas but the end result would be that the user doesn't see the other user's folders.  

Thanks for any help!  Happy New Year!
0
Comment
Question by:ttist25
  • 2
  • 2
4 Comments
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 38733343
You could jail your users into their particular home directories instead of just /home.

This can be done in the "Match" block of sshd_config with

ChrootDirectory /home/%u

or

ChrootDirectory %h

which is equivalent in your case, because "%u" is a placeholder for the userid of the user logging in and "%h" is a placeholder for their complete home directory path.
0
 
LVL 1

Author Comment

by:ttist25
ID: 38733410
Thanks for your response woolmilkporc.  

I tried as you suggested and I end up with an authentication failure.  I seem to remember this from when I was setting it up.  Something about the root folder for the chroot jail must be owned by root.  

In the past I wondered if the best solution was to somehow dump the user over to the /home/%u folder when they connected.  This wouldn't necessarily stop them from traversing up a level to see the other user folders in /home but, it wouldn't smack them in the face with  it either.  Know what I mean?  

I have no idea how I'd do that though if it's even possible (consider that nearly all uers will be connecting with an SFTP client like winscp).  

Thanks again for your help.  It is greatly appreciated.
0
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 500 total points
ID: 38733517
OK,

I forgot to mention the details.

You're right, the chroot directory and all components of its path must be owned by root with write access by the owner (root) only.

But you can create a user-owned, user-writeable directory below ChrootDir, e..g /home/username/username.

Leave ChrootDir as /home/%u, but change the user's home directory to just "/username". sshd changes to this directory after chrooting (relative to the new root!), which means that the user will end up in /home/username/username.

Once logged in with sftp "pwd" will show

Remote working directory: /username

The user can well issue "cd .. ; ls" or "ls ..", but this will just show the contents of /home/username, not those of /home.

After "cd .." "pwd" will show:

Remote working directory: /

but this is in fact /home/username (the ChrootDir)

Please let me know if you need the detailed commands to implement this.
0
 
LVL 1

Author Closing Comment

by:ttist25
ID: 38742161
Brilliant!  

I've been trying to do that for a while now.  Thanks so much.  

HAPPY NEW YEAR!
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Can't get /etc/resolv.conf to configure after reboot 8 74
Ubuntu/Asterisk after upgrade Wav issue 19 55
bash script question (chmod) 10 56
Changing passwords in Linux Systems 3 41
If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now