LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Add user with SFTP but not Shell (https://www.linuxquestions.org/questions/linux-server-73/add-user-with-sftp-but-not-shell-908332/)

Emil M 10-15-2011 11:59 AM
Add user with SFTP but not Shell
 
I want to add some users, who are able to connect through SFTP but must not have Shell access.

I also want them to be locked at one folder and subfolders so they cannot explore the file system.

I have tried this, but it also prevents SFTP so at first point it's not my solution:
Code:
useradd -s /bin/nologin <username>

druuna 10-15-2011 12:05 PM
Hi,

You might want to have a look at scponly

Quote:
scponly is an alternative 'shell' (of sorts) for system administrators who would like to provide access to remote users to both read and write local files without providing any remote execution priviledges. Functionally, it is best described as a wrapper to the tried and true ssh suite of applications.
Hope this helps.

Emil M 10-15-2011 12:12 PM
Thanks. I get this information:

Code:
If you want scponly to chroot into the user's home directory prior to    │
 │ doing its work, the scponly binary has to be installed in                │
 │ /usr/sbin/scponlyc and has to have the suid-root-bit set.                │
 │                                                                          │
 │ This could lead (in the worst case) to a remotely exploitable root hole.  │
 │ If you don't need the chroot- functionality, don't install the file.      │
 │                                                                          │
 │ Install the chrooted binary /usr/sbin/scponlyc SUID root?
Will I be able to change the chroot path afterwards? I need it to be something like /www/dev/ and have several chrooted users pointed to that.

druuna 10-15-2011 12:38 PM
Hi,
Quote:
Originally Posted by Emil M (Post 4499258)
Will I be able to change the chroot path afterwards? I need it to be something like /www/dev/ and have several chrooted users pointed to that.
After what? Once you create a user that does use a chrooted env you need to (delete and) recreate it if it is not correct.

Have a look here: Using scponly To Allow SCP/SFTP Logins And Disable SSH Logins On Debian Squeeze (especially point 4).

Hope this helps.

Emil M 10-15-2011 01:11 PM
Sorry, I searched some more and found this http://blog.frands.net/sftp-only-chr...in-debian-166/

Emil M 10-15-2011 01:35 PM
But I'm having a strange issue here.

I've added the users and the group (developers). They are pointed to /www/dev and I've run the following:

sudo mkdir /www/dev
sudo chown www-data:developers -R /www/dev
sudo chmod 775 -R /www/dev
sudo usermod -a -G developers myUser

But still myUser has no write permissions to that folder, am I missing something here?

druuna 10-16-2011 03:58 AM
Hi,

The instructions you mention in post #5 aren't entirely complete. Have a look at the following posts: Directory permissions in chroot SFTP. In short: You need to create a subdirectory due to security issues.

Assuming that you edited sshd_config correctly, this is what seems to work (as root):
Code:
$ cd /
$ mkdir -p www/dev/upload
$ chown root:root -R www
$ chmod 755 -R www
$ cd www/dev
$ chgrp developers upload
$ chmod 775 developers
The user I tested with looks like this:
Code:
$ grep jade /etc/passwd
jade:x:1002:1002::/upload:/bin/false

$ grep devel /etc/group
developers:x:1002:

$ id jade
uid=1002(jade) gid=1002(developers) groups=1002(developers)
All that works on my side:
Code:
[stasis] druuna ~ $ sftp jade@inferno
Connecting to inferno...
jade@inferno's password:
sftp> put lq.stuff
Uploading lq.stuff to /upload/lq.stuff
lq.stuff                                      100% 1848    1.8KB/s  00:00   
sftp>
Hope this helps.

roberto967 10-16-2011 04:09 PM
Quote:
Originally Posted by Emil M (Post 4499247)
I want to add some users, who are able to connect through SFTP but must not have Shell access.

I also want them to be locked at one folder and subfolders so they cannot explore the file system.
[...]
you can use proftpd (or another sftp server). I have a page which fits to your request http://notes.sagredo.eu/node/133

Emil M 10-17-2011 01:59 AM
Quote:
Originally Posted by druuna (Post 4499661)
Hi,

The instructions you mention in post #5 aren't entirely complete. Have a look at the following posts: Directory permissions in chroot SFTP. In short: You need to create a subdirectory due to security issues.

Assuming that you edited sshd_config correctly, this is what seems to work (as root):
Code:
$ cd /
$ mkdir -p www/dev/upload
$ chown root:root -R www
$ chmod 755 -R www
$ cd www/dev
$ chgrp developers upload
$ chmod 775 developers
The user I tested with looks like this:
Code:
$ grep jade /etc/passwd
jade:x:1002:1002::/upload:/bin/false

$ grep devel /etc/group
developers:x:1002:

$ id jade
uid=1002(jade) gid=1002(developers) groups=1002(developers)
All that works on my side:
Code:
[stasis] druuna ~ $ sftp jade@inferno
Connecting to inferno...
jade@inferno's password:
sftp> put lq.stuff
Uploading lq.stuff to /upload/lq.stuff
lq.stuff                                      100% 1848    1.8KB/s  00:00   
sftp>
Hope this helps.
Thanks. Seems to be working now. However one more thing, users will create folders and files with their default user group, can I do something so that it's auto always developers group or is it easier to maybe have a cronjob changing that now and then?

druuna 10-17-2011 02:31 AM
Hi,

The primary group a user belongs to is used when creating a file/directory. It is possible to change the current primary group to different one, but you do have to realize that this effects all files/directories that are created (local and remote), which might not be an option (depends on many things). If you want to do this have a look at this:
Code:
# as root, get the current user info:
$ id username
uid=501(username) gid=501(usergroup) groups=501(usergroup),502(foo),503(bar),1002(developers)

# change primary group (blue) to wanted group (green)
$ usermod -g developers -G usergroup,foo,bar username

$ id username
uid=501(username) gid=501(developers) groups=1002(developers),501(usergroup),502(foo),503(bar)
The users that use sftp can also change the group themselves using the chgrp command after they uploaded the file(s) (man sftp for details):
Code:
chgrp developers filename
But users might forget to do this unless it is automated.

And there is the option you already mentioned: Using a cronjob.

It depends on the environment and how people use it which option is appropriate for you. I personally think that permanently changing the users primary group should be avoided if at all possible, unless this is a brand new environment.

Hope this helps.

Emil M 10-17-2011 08:44 AM
Thanks. Everything works now :)

druuna 10-17-2011 09:16 AM
You're welcome :)

BTW: Can you put up the [SOLVED] tag.
first post -> Thread Tools -> Mark this thread as solved


All times are GMT -5. The time now is 02:44 AM.