LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 03-10-2011, 08:39 AM   #1
manutdfan1988
LQ Newbie
 
Registered: Jan 2011
Location: Worcester, UK
Distribution: Red Hat 5.5
Posts: 28

Rep: Reputation: 0
Lockdown User to Home Directory with SSH problem


I am having problems setting up SFTP on a Red Hat server to clamp users down to their home directory.

I have created the user, removed /bin/bash login shell and replaced with the below in the passwd file. The user can login by sftp but can browse around the server and download any files apart from other users file. Have also assigned the user over to the sftp user group.

Code:
SFTPUser:x:515:515::/home/SFTPUser:/usr/libexec/openssh/sftp-server
Added following section to file - /etc/ssh/sshd_config

Code:
Match Group sftp
        ChrootDirectory %h
        ForceCommand internal-sftp
        AllowTcpForwarding no

Last edited by manutdfan1988; 03-29-2011 at 08:13 AM.
 
Old 03-10-2011, 08:45 AM   #2
d072330
Member
 
Registered: Nov 2007
Location: USA
Distribution: CentOS
Posts: 174

Rep: Reputation: 6
Try this if you have VSFTP installed:

http://www.cyberciti.biz/tips/vsftp-...directory.html
 
Old 03-10-2011, 09:33 AM   #3
agentbuzz
Member
 
Registered: Oct 2010
Location: Texas
Distribution: Debian, Ubuntu, CentOS, RHEL
Posts: 118

Rep: Reputation: 22
chrooting users to home directories

Hello,
This tutorial was written for Debian users, but the script that you have to download works for Debian, Red Hat, and SuSE:
http://www.howtoforge.com/chrooted-s...l-debian-lenny

The script creates the device nodes in the jails and copies the programs and libraries to the jail.

There is a bug in the script, and you have to make lines 406 and 407 look like the following (without the line numbers, of course):
Code:
    406 TMPFILE1=`mktemp` ||  TMPFILE1="${HOME}/ldlist"; if [ -x ${TMPFILE1} ]; then mv ${TMPFILE1} ${TMPFILE1}.bak;fi
    407 TMPFILE2=`mktemp` ||  TMPFILE2="${HOME}/ldlist2"; if [ -x ${TMPFILE2} ]; then mv ${TMPFILE2} ${TMPFILE2}.bak;fi
Also, if it can't find a library (like libcap.so.1) then symlink it to the library that is being used:
Code:
lrwxrwxrwx 1 root root    16 2011-03-10 09:29 /lib/libcap.so.1 -> /lib/libcap.so.2
lrwxrwxrwx 1 root root    14 2010-08-14 12:15 /lib/libcap.so.2 -> libcap.so.2.17
-rw-r--r-- 1 root root 18888 2010-03-08 15:46 /lib/libcap.so.2.17
There should be no errors, and the script should report the following and exit:
Code:
Copying necessary library-files to jail (may take some time)
Copying files from /etc/pam.d/ to jail
Copying PAM-Modules to jail
 
Old 03-10-2011, 09:34 AM   #4
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 3,146
Blog Entries: 1

Rep: Reputation: 1002Reputation: 1002Reputation: 1002Reputation: 1002Reputation: 1002Reputation: 1002Reputation: 1002Reputation: 1002
Fyi: I got this to work on Fedora 14
 
Old 03-11-2011, 03:47 AM   #5
manutdfan1988
LQ Newbie
 
Registered: Jan 2011
Location: Worcester, UK
Distribution: Red Hat 5.5
Posts: 28

Original Poster
Rep: Reputation: 0
Thanks for the responses;

d072330 - the only problem is that is standard FTP and I am trying to get it working using SFTP.

agentbuzz - I have followed the steps in the Enable Chrooted SFTP section which didn't require me to run the script, that was in the chrooted SSH section.

I am still having a few problems, the user can login ok but the full directory tree can be viewed, I presumed it would to cut off at the home directory node so the user cannot see anything above their own folders.
 
Old 03-11-2011, 07:20 AM   #6
agentbuzz
Member
 
Registered: Oct 2010
Location: Texas
Distribution: Debian, Ubuntu, CentOS, RHEL
Posts: 118

Rep: Reputation: 22
/home/home chroot

manutdfan1988:
Do you mean users can browse "/home"? Did you make the symlink inside of /home?
Code:
cd /home
ln -s . home
When the user logs in, he should see the following when he's trying to look around the file system:
Code:
-bash-4.1$ ls -l /sbin
total 36
-rwxr-sr-x 1 root 42 35488 Jul  7  2010 unix_chkpwd
-bash-4.1$ ls -l /home
lrwxrwxrwx 1 root root 1 Mar 11 12:28 /home -> .
-bash-4.1$ ls -l /root
ls: cannot access /root: No such file or directory
-bash-4.1$ ls -l /boot
ls: cannot access /boot: No such file or directory
Also, you still have to do a recursive chown to the user's home directory so that the .bash_profile and other files are writable.
 
Old 03-17-2011, 07:57 AM   #7
manutdfan1988
LQ Newbie
 
Registered: Jan 2011
Location: Worcester, UK
Distribution: Red Hat 5.5
Posts: 28

Original Poster
Rep: Reputation: 0
Users can browse the whole file system structure, so everything from '/' onwards.

Have just added the symlink and that seems to have made no difference.

I have also chown'ed recursively the directory and chmod'ed the directory to be 700.

Have changed it over to be Match User instead of Match Group just incase that was causing the problem, again still no luck.

Thanks
 
Old 03-30-2011, 10:59 AM   #8
manutdfan1988
LQ Newbie
 
Registered: Jan 2011
Location: Worcester, UK
Distribution: Red Hat 5.5
Posts: 28

Original Poster
Rep: Reputation: 0
Still not having any luck on this tried the following link using the comment at the bottom but same as always happens, user can SFTP but can see the whole file structure on server.

https://access.redhat.com/kb/docs/DOC-34390

Any ideas would be much appreciated.
 
Old 01-29-2013, 03:36 PM   #9
d072330
Member
 
Registered: Nov 2007
Location: USA
Distribution: CentOS
Posts: 174

Rep: Reputation: 6
Sure you solved this by now but you can run vsftp on secure port according to this site:

 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
NFS problem: "Could not chdir to home directory /home/USER: Permission denied" sumanc Linux - Server 4 07-22-2010 04:12 PM
How to lock user in his home directory on a Debian SSH Server? SuperDude123 Linux - Newbie 3 07-09-2009 03:17 PM
SSH and User Home Directory htabesh Linux - Security 3 10-29-2008 08:13 AM
user home directory problem dody1313 Solaris / OpenSolaris 5 04-25-2008 11:31 AM
Locking SSH user to home directory. paroxsitic Linux - Software 2 04-03-2007 05:50 PM


All times are GMT -5. The time now is 10:54 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration