-   Linux - Server (
-   -   Chroot / Jail configuration for SFTP with write access to /var/www/html (

daseagle 04-15-2012 06:27 PM

Chroot / Jail configuration for SFTP with write access to /var/www/html

I have the following setup:

Openssh 5.8 on Centos 5.7 x64. Selinux is disabled. No root login, ssh port non-standard.

What I need: 3 chrooted/jailed (I'm not sure which expression is correct) users, access only via SFTP (developers requirement, can't be helped) to 3 distinct directories (some web apps) all located in /var/www/html.

Problem: I have sftp as a whole working (took me a while to figure it out). I can't convince my server to limit users to their very own directories, while being able to write into those folders as well. Managed to make a fine mess out of my configuration files in the process of trying.

Details of needs:

User1: able to write into everything in /var/www/html/site1
User2: able to write into everything in /var/www/html/site2
User3: able to write into everything in /var/www/html/subdomain_site2


I can paste any conf file you require. These users do not need shell access on their own, but NONE can get out of their directories and browse anywhere else, via cd or ls.

Please note: I am quite new to the linux server enviroment. As such, please be clear in your instructions and don't assume I can fill in the blanks. Thanks for any help.

jschiwal 04-15-2012 06:47 PM

If you use the ChrootDirectory option in sshd_config, the partition needs the nosuid and noexec mount options. You can mount a directory with -bind and then mount it again with -remount for the needed mount options if the chroot directory isn't in its own directory.

You can assign the jailroot directory for each user with match phrases in sshd_config

Match User johndoe
        ChrootDirectory /home/johndoe
        ForceCommand internal-sftp

This web page has pretty good instructions:
Another howto

jschiwal 04-15-2012 07:05 PM

I forgot to ask which version of openssh you are using. You need v3.4 or later for that directive to work.

For a public facing server, disabling selinux isn't a good idea.

daseagle 04-15-2012 07:20 PM

Thanks for the info. I seem to be getting somewhere, but don't bring out the champagne yet - this could still go horribly wrong :)

1. Created the sftponly group.

2. Created a user that is located in /home/user1. Chowned recursively to root:root.

3. Mounted the /var/www/html/site1 directory to the /home/user1/site1 directory. Then to permit write access, I chowned recursively the /home/user1/site1 directory.

4. Logged in via FileZilla, showed up fine. Tried to write something to that mounted folder, worked. Tried to delete, worked.

I am still not perfectly comfortable with it, since I don't quite understand what I did. If anyone spots something wrong with it, please say so.

Selinux is disabled for now, since I did not have the luxury to add another level of complexity to my problem-solving process. Will be back after I have this sorted.

Aha moment: you have to force group membership, using usermod -g. And then mount, double chown.

All times are GMT -5. The time now is 04:53 PM.