Sftp folder restriction is not working.

Support for security such as Firewalls and securing linux
newbie14
Posts: 66
Joined: 2010/08/29 19:22:49

Sftp folder restriction is not working.

Postby newbie14 » 2017/05/19 20:44:18

I am trying to create a new user and restrict his access to only a single folder in /usr/local/. So I did some google and followed the following steps.

groupadd controlgroup1
cd /usr/local
mkdir controlfolder1
cd controlfolder1
mkdir control1
chmod g+rw controlfolder1/control1
chgrp -R controlgroup1 controlfolder1/control1
useradd control1
passwd control1
gpasswd -a control1 controlgroup1

Next I ran this
chown root:root /usr/local/controlfolder1
chmod 700 /usr/local/controlfolder1
chown -R control1:controlgroup1 /usr/local/controlfolder1/control1

I went into /etc/sshd_config and toward the end of the file I added this

Code: Select all

Match Group controlgroup1
# Force the connection to use SFTP and chroot to the required directory.
ForceCommand internal-sftp
ChrootDirectory /usr/local/controlfolder1/control1
# Disable tunneling, authentication agent, TCP and X11 forwarding.
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no


I restarted ssh. Then when I login the user is free to traverse around any folder in the whole system with no restriction at all. So can I ensure when he log in only view this folder and in addition how to give ssh access also to this folder too.

aks
Posts: 2489
Joined: 2014/09/20 11:22:14

Re: Sftp folder restriction is not working.

Postby aks » 2017/05/21 11:48:14

Permissions alone will not achieve what you want. Perhaps you should look into chrooting sftp. I seem to recall the key value was ChrootDirectory <directory>.

newbie14
Posts: 66
Joined: 2010/08/29 19:22:49

Re: Sftp folder restriction is not working.

Postby newbie14 » 2017/05/22 18:01:23

Hi Aks,
How to chrooting sftp? Isnt what I did is chrooting?

tunk
Posts: 134
Joined: 2017/02/22 15:08:17

Re: Sftp folder restriction is not working.

Postby tunk » 2017/05/23 11:48:19

Are you sure that the control1 user has controlgroup1 as primary group?

newbie14
Posts: 66
Joined: 2010/08/29 19:22:49

Re: Sftp folder restriction is not working.

Postby newbie14 » 2017/05/24 19:28:29

Hi Tunk,
Isnt this gpasswd -a control1 controlgroup1 you to confirm it belongs to controlgroup1?

tunk
Posts: 134
Joined: 2017/02/22 15:08:17

Re: Sftp folder restriction is not working.

Postby tunk » 2017/05/25 11:45:20

I haven't used gpasswd before, so I don't really know, but I suspect/guess that it adds a secondary group.
Can you look at /etc/passwd to see what the primary group is?

newbie14
Posts: 66
Joined: 2010/08/29 19:22:49

Re: Sftp folder restriction is not working.

Postby newbie14 » 2017/05/25 18:00:34

Hi Tunk,
I check the passwd and its shows me this line.
control1:x:501:501::/home/control1:/bin/bash.

tunk
Posts: 134
Joined: 2017/02/22 15:08:17

Re: Sftp folder restriction is not working.

Postby tunk » 2017/05/26 09:49:45

The second 501 is the primary group ID (GID). Look at /etc/group to see which group that is.
Most likely it's a group created by the OS when you ran useradd control1, and not controlgroup1.
Maybe this helps: https://unix.stackexchange.com/question ... mary-group

User avatar
TrevorH
Forum Moderator
Posts: 20282
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Sftp folder restriction is not working.

Postby TrevorH » 2017/05/26 10:23:00

getent group 501 will tell you what group 501 is.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

newbie14
Posts: 66
Joined: 2010/08/29 19:22:49

Re: Sftp folder restriction is not working.

Postby newbie14 » 2017/05/26 16:54:10

Hi Trevor,It showing this
controlgroup1:x:501:
So indeed the user is on the right group.


Return to “CentOS 6 - Security Support”

Who is online

Users browsing this forum: No registered users and 1 guest