Page 1 of 1

Sftp folder restriction is not working.

Posted: 2017/05/19 20:44:18
by newbie14
I am trying to create a new user and restrict his access to only a single folder in /usr/local/. So I did some google and followed the following steps.

groupadd controlgroup1
cd /usr/local
mkdir controlfolder1
cd controlfolder1
mkdir control1
chmod g+rw controlfolder1/control1
chgrp -R controlgroup1 controlfolder1/control1
useradd control1
passwd control1
gpasswd -a control1 controlgroup1

Next I ran this
chown root:root /usr/local/controlfolder1
chmod 700 /usr/local/controlfolder1
chown -R control1:controlgroup1 /usr/local/controlfolder1/control1

I went into /etc/sshd_config and toward the end of the file I added this

Code: Select all

Match Group controlgroup1
# Force the connection to use SFTP and chroot to the required directory.
ForceCommand internal-sftp
ChrootDirectory /usr/local/controlfolder1/control1
# Disable tunneling, authentication agent, TCP and X11 forwarding.
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
I restarted ssh. Then when I login the user is free to traverse around any folder in the whole system with no restriction at all. So can I ensure when he log in only view this folder and in addition how to give ssh access also to this folder too.

Re: Sftp folder restriction is not working.

Posted: 2017/05/21 11:48:14
by aks
Permissions alone will not achieve what you want. Perhaps you should look into chrooting sftp. I seem to recall the key value was ChrootDirectory <directory>.

Re: Sftp folder restriction is not working.

Posted: 2017/05/22 18:01:23
by newbie14
Hi Aks,
How to chrooting sftp? Isnt what I did is chrooting?

Re: Sftp folder restriction is not working.

Posted: 2017/05/23 11:48:19
by tunk
Are you sure that the control1 user has controlgroup1 as primary group?

Re: Sftp folder restriction is not working.

Posted: 2017/05/24 19:28:29
by newbie14
Hi Tunk,
Isnt this gpasswd -a control1 controlgroup1 you to confirm it belongs to controlgroup1?

Re: Sftp folder restriction is not working.

Posted: 2017/05/25 11:45:20
by tunk
I haven't used gpasswd before, so I don't really know, but I suspect/guess that it adds a secondary group.
Can you look at /etc/passwd to see what the primary group is?

Re: Sftp folder restriction is not working.

Posted: 2017/05/25 18:00:34
by newbie14
Hi Tunk,
I check the passwd and its shows me this line.
control1:x:501:501::/home/control1:/bin/bash.

Re: Sftp folder restriction is not working.

Posted: 2017/05/26 09:49:45
by tunk
The second 501 is the primary group ID (GID). Look at /etc/group to see which group that is.
Most likely it's a group created by the OS when you ran useradd control1, and not controlgroup1.
Maybe this helps: https://unix.stackexchange.com/question ... mary-group

Re: Sftp folder restriction is not working.

Posted: 2017/05/26 10:23:00
by TrevorH
getent group 501 will tell you what group 501 is.

Re: Sftp folder restriction is not working.

Posted: 2017/05/26 16:54:10
by newbie14
Hi Trevor,It showing this
controlgroup1:x:501:
So indeed the user is on the right group.