Sftp folder restriction is not working.

Support for security such as Firewalls and securing linux
newbie14
Posts: 63
Joined: 2010/08/29 19:22:49

Sftp folder restriction is not working.

Postby newbie14 » 2017/05/19 20:44:18

I am trying to create a new user and restrict his access to only a single folder in /usr/local/. So I did some google and followed the following steps.

groupadd controlgroup1
cd /usr/local
mkdir controlfolder1
cd controlfolder1
mkdir control1
chmod g+rw controlfolder1/control1
chgrp -R controlgroup1 controlfolder1/control1
useradd control1
passwd control1
gpasswd -a control1 controlgroup1

Next I ran this
chown root:root /usr/local/controlfolder1
chmod 700 /usr/local/controlfolder1
chown -R control1:controlgroup1 /usr/local/controlfolder1/control1

I went into /etc/sshd_config and toward the end of the file I added this

Code: Select all

Match Group controlgroup1
# Force the connection to use SFTP and chroot to the required directory.
ForceCommand internal-sftp
ChrootDirectory /usr/local/controlfolder1/control1
# Disable tunneling, authentication agent, TCP and X11 forwarding.
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no


I restarted ssh. Then when I login the user is free to traverse around any folder in the whole system with no restriction at all. So can I ensure when he log in only view this folder and in addition how to give ssh access also to this folder too.

aks
Posts: 2385
Joined: 2014/09/20 11:22:14

Re: Sftp folder restriction is not working.

Postby aks » 2017/05/21 11:48:14

Permissions alone will not achieve what you want. Perhaps you should look into chrooting sftp. I seem to recall the key value was ChrootDirectory <directory>.

newbie14
Posts: 63
Joined: 2010/08/29 19:22:49

Re: Sftp folder restriction is not working.

Postby newbie14 » 2017/05/22 18:01:23

Hi Aks,
How to chrooting sftp? Isnt what I did is chrooting?

tunk
Posts: 70
Joined: 2017/02/22 15:08:17

Re: Sftp folder restriction is not working.

Postby tunk » 2017/05/23 11:48:19

Are you sure that the control1 user has controlgroup1 as primary group?


Return to “CentOS 6 - Security Support”

Who is online

Users browsing this forum: No registered users and 1 guest