LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
LinkBack Search this Thread
Old 04-15-2012, 06:27 PM   #1
daseagle
LQ Newbie
 
Registered: Apr 2012
Posts: 2

Rep: Reputation: Disabled
Question Chroot / Jail configuration for SFTP with write access to /var/www/html


Hello!

I have the following setup:

Openssh 5.8 on Centos 5.7 x64. Selinux is disabled. No root login, ssh port non-standard.

What I need: 3 chrooted/jailed (I'm not sure which expression is correct) users, access only via SFTP (developers requirement, can't be helped) to 3 distinct directories (some web apps) all located in /var/www/html.

Problem: I have sftp as a whole working (took me a while to figure it out). I can't convince my server to limit users to their very own directories, while being able to write into those folders as well. Managed to make a fine mess out of my configuration files in the process of trying.

Details of needs:

User1: able to write into everything in /var/www/html/site1
User2: able to write into everything in /var/www/html/site2
User3: able to write into everything in /var/www/html/subdomain_site2

------------------

I can paste any conf file you require. These users do not need shell access on their own, but NONE can get out of their directories and browse anywhere else, via cd or ls.

Please note: I am quite new to the linux server enviroment. As such, please be clear in your instructions and don't assume I can fill in the blanks. Thanks for any help.

Last edited by daseagle; 04-15-2012 at 06:35 PM.
 
Old 04-15-2012, 06:47 PM   #2
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
If you use the ChrootDirectory option in sshd_config, the partition needs the nosuid and noexec mount options. You can mount a directory with -bind and then mount it again with -remount for the needed mount options if the chroot directory isn't in its own directory.

You can assign the jailroot directory for each user with match phrases in sshd_config
Code:
Match User johndoe 
        ChrootDirectory /home/johndoe 
        ForceCommand internal-sftp
This web page has pretty good instructions:
http://ubuntuforums.org/showthread.php?t=858475
Another howto

https://calomel.org/sftp_chroot.html

Last edited by jschiwal; 04-15-2012 at 07:02 PM.
 
Old 04-15-2012, 07:05 PM   #3
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
I forgot to ask which version of openssh you are using. You need v3.4 or later for that directive to work.

For a public facing server, disabling selinux isn't a good idea.
 
Old 04-15-2012, 07:20 PM   #4
daseagle
LQ Newbie
 
Registered: Apr 2012
Posts: 2

Original Poster
Rep: Reputation: Disabled
Thanks for the info. I seem to be getting somewhere, but don't bring out the champagne yet - this could still go horribly wrong

1. Created the sftponly group.

2. Created a user that is located in /home/user1. Chowned recursively to root:root.

3. Mounted the /var/www/html/site1 directory to the /home/user1/site1 directory. Then to permit write access, I chowned recursively the /home/user1/site1 directory.

4. Logged in via FileZilla, showed up fine. Tried to write something to that mounted folder, worked. Tried to delete, worked.

I am still not perfectly comfortable with it, since I don't quite understand what I did. If anyone spots something wrong with it, please say so.

Selinux is disabled for now, since I did not have the luxury to add another level of complexity to my problem-solving process. Will be back after I have this sorted.
---------------------------

Aha moment: you have to force group membership, using usermod -g. And then mount, double chown.

Last edited by daseagle; 04-15-2012 at 08:26 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ftp access to /var/www/html bmccarty12 Linux - General 2 10-16-2009 12:21 PM
Configure /var/www/html for user write access? SlowCoder Linux - Server 9 07-26-2009 05:37 PM
FTP access to /var/www/html/web_folder jonaskellens Linux - Server 2 07-11-2009 08:23 AM
Symbolic Link For FTP Access To /var/www/html ERRRRRRRRRRRR! JustinK101 Linux - Software 3 01-31-2007 11:32 AM


All times are GMT -5. The time now is 01:49 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration