LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 10-15-2011, 12:59 PM   #1
Emil M
LQ Newbie
 
Registered: Feb 2010
Posts: 25

Rep: Reputation: 0
Add user with SFTP but not Shell


I want to add some users, who are able to connect through SFTP but must not have Shell access.

I also want them to be locked at one folder and subfolders so they cannot explore the file system.

I have tried this, but it also prevents SFTP so at first point it's not my solution:
Code:
 useradd -s /bin/nologin <username>

Last edited by Emil M; 10-18-2011 at 05:55 AM.
 
Old 10-15-2011, 01:05 PM   #2
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374
Hi,

You might want to have a look at scponly

Quote:
scponly is an alternative 'shell' (of sorts) for system administrators who would like to provide access to remote users to both read and write local files without providing any remote execution priviledges. Functionally, it is best described as a wrapper to the tried and true ssh suite of applications.
Hope this helps.
 
Old 10-15-2011, 01:12 PM   #3
Emil M
LQ Newbie
 
Registered: Feb 2010
Posts: 25

Original Poster
Rep: Reputation: 0
Thanks. I get this information:

Code:
If you want scponly to chroot into the user's home directory prior to     │ 
 │ doing its work, the scponly binary has to be installed in                 │ 
 │ /usr/sbin/scponlyc and has to have the suid-root-bit set.                 │ 
 │                                                                           │ 
 │ This could lead (in the worst case) to a remotely exploitable root hole.  │ 
 │ If you don't need the chroot- functionality, don't install the file.      │ 
 │                                                                           │ 
 │ Install the chrooted binary /usr/sbin/scponlyc SUID root?
Will I be able to change the chroot path afterwards? I need it to be something like /www/dev/ and have several chrooted users pointed to that.
 
Old 10-15-2011, 01:38 PM   #4
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374
Hi,
Quote:
Originally Posted by Emil M View Post
Will I be able to change the chroot path afterwards? I need it to be something like /www/dev/ and have several chrooted users pointed to that.
After what? Once you create a user that does use a chrooted env you need to (delete and) recreate it if it is not correct.

Have a look here: Using scponly To Allow SCP/SFTP Logins And Disable SSH Logins On Debian Squeeze (especially point 4).

Hope this helps.
 
Old 10-15-2011, 02:11 PM   #5
Emil M
LQ Newbie
 
Registered: Feb 2010
Posts: 25

Original Poster
Rep: Reputation: 0
Sorry, I searched some more and found this http://blog.frands.net/sftp-only-chr...in-debian-166/
 
Old 10-15-2011, 02:35 PM   #6
Emil M
LQ Newbie
 
Registered: Feb 2010
Posts: 25

Original Poster
Rep: Reputation: 0
But I'm having a strange issue here.

I've added the users and the group (developers). They are pointed to /www/dev and I've run the following:

sudo mkdir /www/dev
sudo chown www-data:developers -R /www/dev
sudo chmod 775 -R /www/dev
sudo usermod -a -G developers myUser

But still myUser has no write permissions to that folder, am I missing something here?
 
Old 10-16-2011, 04:58 AM   #7
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374
Hi,

The instructions you mention in post #5 aren't entirely complete. Have a look at the following posts: Directory permissions in chroot SFTP. In short: You need to create a subdirectory due to security issues.

Assuming that you edited sshd_config correctly, this is what seems to work (as root):
Code:
$ cd /
$ mkdir -p www/dev/upload
$ chown root:root -R www
$ chmod 755 -R www
$ cd www/dev
$ chgrp developers upload
$ chmod 775 developers
The user I tested with looks like this:
Code:
$ grep jade /etc/passwd
jade:x:1002:1002::/upload:/bin/false

$ grep devel /etc/group
developers:x:1002:

$ id jade
uid=1002(jade) gid=1002(developers) groups=1002(developers)
All that works on my side:
Code:
[stasis] druuna ~ $ sftp jade@inferno
Connecting to inferno...
jade@inferno's password: 
sftp> put lq.stuff
Uploading lq.stuff to /upload/lq.stuff
lq.stuff                                      100% 1848     1.8KB/s   00:00    
sftp>
Hope this helps.

Last edited by druuna; 10-16-2011 at 05:23 AM. Reason: Fixed typo's
 
1 members found this post helpful.
Old 10-16-2011, 05:09 PM   #8
roberto967
Member
 
Registered: Apr 2011
Distribution: Slackware64-current
Posts: 65

Rep: Reputation: 12
Quote:
Originally Posted by Emil M View Post
I want to add some users, who are able to connect through SFTP but must not have Shell access.

I also want them to be locked at one folder and subfolders so they cannot explore the file system.
[...]
you can use proftpd (or another sftp server). I have a page which fits to your request http://notes.sagredo.eu/node/133
 
Old 10-17-2011, 02:59 AM   #9
Emil M
LQ Newbie
 
Registered: Feb 2010
Posts: 25

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by druuna View Post
Hi,

The instructions you mention in post #5 aren't entirely complete. Have a look at the following posts: Directory permissions in chroot SFTP. In short: You need to create a subdirectory due to security issues.

Assuming that you edited sshd_config correctly, this is what seems to work (as root):
Code:
$ cd /
$ mkdir -p www/dev/upload
$ chown root:root -R www
$ chmod 755 -R www
$ cd www/dev
$ chgrp developers upload
$ chmod 775 developers
The user I tested with looks like this:
Code:
$ grep jade /etc/passwd
jade:x:1002:1002::/upload:/bin/false

$ grep devel /etc/group
developers:x:1002:

$ id jade
uid=1002(jade) gid=1002(developers) groups=1002(developers)
All that works on my side:
Code:
[stasis] druuna ~ $ sftp jade@inferno
Connecting to inferno...
jade@inferno's password: 
sftp> put lq.stuff
Uploading lq.stuff to /upload/lq.stuff
lq.stuff                                      100% 1848     1.8KB/s   00:00    
sftp>
Hope this helps.
Thanks. Seems to be working now. However one more thing, users will create folders and files with their default user group, can I do something so that it's auto always developers group or is it easier to maybe have a cronjob changing that now and then?
 
Old 10-17-2011, 03:31 AM   #10
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374
Hi,

The primary group a user belongs to is used when creating a file/directory. It is possible to change the current primary group to different one, but you do have to realize that this effects all files/directories that are created (local and remote), which might not be an option (depends on many things). If you want to do this have a look at this:
Code:
# as root, get the current user info:
$ id username
uid=501(username) gid=501(usergroup) groups=501(usergroup),502(foo),503(bar),1002(developers)

# change primary group (blue) to wanted group (green)
$ usermod -g developers -G usergroup,foo,bar username

$ id username
uid=501(username) gid=501(developers) groups=1002(developers),501(usergroup),502(foo),503(bar)
The users that use sftp can also change the group themselves using the chgrp command after they uploaded the file(s) (man sftp for details):
Code:
chgrp developers filename
But users might forget to do this unless it is automated.

And there is the option you already mentioned: Using a cronjob.

It depends on the environment and how people use it which option is appropriate for you. I personally think that permanently changing the users primary group should be avoided if at all possible, unless this is a brand new environment.

Hope this helps.
 
1 members found this post helpful.
Old 10-17-2011, 09:44 AM   #11
Emil M
LQ Newbie
 
Registered: Feb 2010
Posts: 25

Original Poster
Rep: Reputation: 0
Thanks. Everything works now
 
Old 10-17-2011, 10:16 AM   #12
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374
You're welcome

BTW: Can you put up the [SOLVED] tag.
first post -> Thread Tools -> Mark this thread as solved
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to add a user so that they have no shell access DaFakaMatt Linux - General 2 02-18-2010 02:59 AM
how to create sftp user only in red hat 4 not ftp user ..only sftp user princeu28 Linux - Newbie 1 10-14-2008 09:10 AM
How to add new user via shell script Ingenico1 Linux - Software 3 10-05-2008 04:14 PM
how to add user in command shell man_J Linux - Software 4 11-05-2006 09:09 AM
Add user to Webmin through SHELL? mikeshn Linux - General 1 12-05-2003 03:00 PM


All times are GMT -5. The time now is 02:37 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration