SFTP and SELinux is preventing sshd "create" access

djlinuxquestions · 10-21-2010, 11:07 PM

hello,

I have been trying to set up sftp with chrooted users.

I am able to sftp to the user's chrooted home directory
I am able to list files after sftp'ing using 'ls'

But whenever I try to write to the chrooted directory I get the error:

Code:

remote open("/user1/file.txt"): Permission denied

when i look in /var/log/messages

i see the error:

Code:

SELinux is preventing sshd "create" access on file.txt

If I set SElinux to permissive I am able to write the file but the user can navigate to other home directories, etc.

my seetings and permissions:

/etc/ssh/sshd_config:

Code:

Subsystem       sftp    internal-sftp

Match group sftponly
         ChrootDirectory /home/chroot-users
         X11Forwarding no
         AllowTcpForwarding no
         ForceCommand internal-sftp

permissions:

Code:

drwxr-xr-x.  7 root root  4096 Oct 22 12:33 home
drwxr-xr-x.  4 root root  4096 Oct 22 13:48 chroot-users
drwxr-x---.  4 user1 user1 4096 Oct 22 13:37 user1

/etc/passwd:

Code:

user1:x:502:502::/user1:/bin/false

/etc/group:

Code:

sftponly:x:502:user1

any help in getting the write working would be appreciated.

cheers!

prayag_pjs · 10-21-2010, 11:24 PM

Hi,

Disable selinux.

vim /etc/sysconfig/selinux

Quote:

SELINUX=disabled

djlinuxquestions · 10-22-2010, 12:07 AM

thanks for the prompt reply.

disabling selinux worked. I can only get to /home/chroot-users, and with appropriate permissions cannot enter other users' directories.

however, with the permissions I have set the user can:
1. sftp into their chrooted home directory (/home/chroot-users/user1)
2. cd .. (back to /home/chroot-users)
3. get files from /home/chroot-users
4. put files from user1's directory to /home/chroot-users

so, how can I stop points 2-4 happening (or at least 3 and 4).

the permissions are:

Code:

drwxr-xr-x.  7 root root  4096 Oct 22 12:33 home
drwxr-xr-x.  4 root root  4096 Oct 22 13:48 chroot-users
drwxr-x---.  4 user1 user1 4096 Oct 22 13:37 user1

thanks for any advice.

prayag_pjs · 10-22-2010, 12:11 AM

For point 2.cd .. (back to /home/chroot-users):

Follow this link

http://www.cyberciti.biz/tips/howto-...ail-setup.html

See the end of link : To prevent user....

http://joedonner2001.wordpress.com/r...a-chroot-jail/

djlinuxquestions · 10-22-2010, 12:34 AM

ok, will check that out.

thanks for the assistance.