LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-19-2012, 02:17 PM   #16
CHIadam
LQ Newbie
 
Registered: May 2012
Distribution: RHEL, CentOS
Posts: 16

Original Poster
Rep: Reputation: Disabled

Forget the jailkit idea.. I almost have this completely figured out:

Quote:
Originally Posted by CHIadam View Post

however when I sftp from another box I get this:
sftp> lpwd
Local working directory: /root
This is confusing too.. it let me list the /root contents
sftp> lls
anaconda-ks.cfg install.log.syslog
IBM_Informix_Software_Bundle_InstallLog.log multicast-listener-v2

Then when I do this, I get this!:
sftp> ls -l
drwxr-xr-x 2 500 503 4096 Sep 19 13:26 upload
sftp>
Ok so my buddy who is a far better linux wizard than I am made me realize that lls and lpwd are local (not server).. so that clears up that confusion.

Looks like I just need to sort out the permissions, I'll post once i get that right. I'm sure this will help someone else out there in the future

Last edited by CHIadam; 09-24-2012 at 08:47 AM.
 
Old 09-24-2012, 05:12 PM   #17
CHIadam
LQ Newbie
 
Registered: May 2012
Distribution: RHEL, CentOS
Posts: 16

Original Poster
Rep: Reputation: Disabled
I wound up switching over to RHEL 6.0 for an unrelated reason, did the same thing below and set selinux = 0 and it works.

Here is all of my steps, I bet this works on 6.3 CentOS too:

[root@sftp home]# groupadd sftponly
[root@sftp home]# useradd -d /home/user1 -s /bin/false -G sftponly user1
[root@sftp home]# vi /etc/ssh/sshd_config
Comment this out --> Subsystem sftp /usr/libexec/openssh/sftp-server
Add this below it --> Subsystem sftp internal-sftp

#add this to the bottom of the config file

Match Group sftponly
ChrootDirectory /home/%u
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp

[root@sftp home]# service sshd restart

[root@sftp home]# chown root:root user1
[root@sftp home]# chmod 755 user1
[root@sftp home]# mkdir uploads
[root@sftp home]# chmod 700 uploads
 
Old 12-08-2012, 02:27 PM   #18
nishfish
LQ Newbie
 
Registered: Dec 2012
Posts: 1

Rep: Reputation: Disabled
CHIadam,

Thanks for the posting. Very useful and I can confirm the same works for 6.3, although I think there may be one step you are missing in the previous summary. (I think this is because you "fixed" it in an earlier step)

Once you create the uploads directory, not only do you need to chmod it as suggested but you also need to chown it.

For example:

chown root:root user1
chmod 755 user1
cd user1
mkdir uploads
chown user1:user1 uploads
chmod 700 uploads


fwiw, anyone trying to get a chroot working with vsftpd and ssh, it does not appear to work, but CHIadam's steps will definitely work as a true chroot jail with ssh, with readonly to '/' and read/write to '/uploads'
 
Old 01-03-2013, 06:44 PM   #19
crwdawg
LQ Newbie
 
Registered: Jul 2004
Posts: 20

Rep: Reputation: 1
This absolutely worked for me, once.
I setup a CentOS 6.3 server and tried several things with VSFTPD before finding this post. After proving it worked, I reloaded to CentOS 6.3 minimal and followed steps and it is not working.
The only thing I did differently the 2nd time was add an uploads folder to /etc/skel so each user I created would already have the /home/%u/uploads folder with their user having the permissions. I then changed /home/%u to be owned by root with 755. I cannot upload a file to the uploads folder, even after changing uploads to 700. Here are permissions as currently set:

[root@localhost ~]# ll /home/
total 20
drwx------. 2 root root 16384 Jan 3 11:56 lost+found
drwxr-xr-x. 3 root root 4096 Jan 3 13:15 user1
[root@localhost ~]# ll /home/user1/
total 4
drwx------. 2 user1 user1 4096 Jan 3 13:15 uploads

Any idea why it is giving me an error?

Permission denied.
Error code: 3
Error message from server: Permission denied
Request code: 3

-Thanks in advance
-Bill

Last edited by crwdawg; 01-03-2013 at 06:46 PM.
 
Old 01-03-2013, 09:10 PM   #20
crwdawg
LQ Newbie
 
Registered: Jul 2004
Posts: 20

Rep: Reputation: 1
Forgot to disable SELinux. Now it works.

Side note: Anyone know how to write an SELinux rule so I can leave it enabled and still have SFTP work?

I also found that if I chmod 700 /etc/skel/uploads it will automatically create /home/%u/uploads as the user, and have 700 permissions.

Once again, thanks for the awesome post.

-Bill
 
Old 01-03-2013, 09:35 PM   #21
crwdawg
LQ Newbie
 
Registered: Jul 2004
Posts: 20

Rep: Reputation: 1
SELinux fix proposed by http://cassjohnston.wordpress.com/20...chrooted-sftp/

Make sure selinux allows write access to chroot’ed home directories:
setsebool -P ssh_chroot_rw_homedirs on


***They suggested that I needed to do the following also, but I found it not necessary***
I also needed to do a restorecon on the home directory to get selinux to allow sftp users to write to their uploads, directory, but I found it not necessary at this time........
restorecon -R /home/$USERNAME


Seems to be working okay now.

-Bill
 
Old 02-27-2013, 02:13 AM   #22
linuxexplore
LQ Newbie
 
Registered: Oct 2012
Location: India
Distribution: CentOS, Ubuntu
Posts: 6
Blog Entries: 1

Rep: Reputation: Disabled
Add the following tail output to your Linux box’s SSH

server configuration file /etc/ssh/sshd_config.

[rahulpanwar@myhost ~]# tail -6 /etc/ssh/sshd_config
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
Match Group www-hosting
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no

Then restart sshd service to enable this configuration.

[rahulpanwar@myhost ~]# sudo /etc/init.d/sshd restart

Create Chroot Users:

[rahulpanwar@myhost ~]# sudo mkdir /etc/skel/public_html
[rahulpanwar@myhost ~]# sudo groupadd www-hosting
[rahulpanwar@myhost ~]# sudo useradd -s /sbin/nologin -g www-hosting linuxexplore.com

Setting Permissions:

[rahulpanwar@myhost ~]# sudo chown root:www-hosting /home/linuxexplore.com
[rahulpanwar@myhost ~]# sudo chmod 755 /home/linuxexplore.com

That’s all now create multiple users for web hosting, and offer the secure sftp access to your customers.
Shell Script to Create Web Hosting Users:

#!/bin/bash
HOSTING_DIR="/etc/skel/public_html"
CHROOT_GRP="www-hosting"
USR_NAME="$1"

[ ! -d "$HOSTING_DIR" ] && mkdir -p $HOSTING_DIR
grep ^"${CHROOT_GRP}:" /etc/group || /usr/sbin/groupadd www-hosting
grep ^"${USR_NAMEP}:" /etc/passwd || /usr/sbin/useradd -s /sbin/nologin -g $CHROO_GRP $USR_NAME
chown root:$CHROOT_GRP /home/$USR_NAME
chmod 755 /home/$USR_NAME

Selinux Configuration:

Disable the selinux permanently or configure it for read write user’s home directory in SSH chroot.

[rahulpanwar@myhost ~]# sudo setsebool -P ssh_chroot_rw_homedirs on
[rahulpanwar@myhost ~]# sudo restorecon -R /home/$USERNAME

For more information, it might help. Chroot SFTP CentOS 6
 
  


Reply

Tags
centos, chroot jail, sftp


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to setup SFTP chroot jail for some particular user. jeesun Linux - Security 1 08-09-2011 10:58 PM
Getting SFTP logs from a chroot jail beairstos Linux - Server 1 10-01-2009 08:20 AM
Chroot jail for sftp, Solaris 10, OpenSSH_5.1p1 saskak Solaris / OpenSolaris 1 12-14-2008 09:31 PM
sftp chroot jail, not able to find lib files drolic Linux - Security 3 11-23-2005 11:57 AM
chroot jail sftp users f1uke Linux - Security 1 07-28-2003 10:29 AM


All times are GMT -5. The time now is 03:22 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration