-   Linux - General (
-   -   file transfer over ssh restrict directory browsing (

niall0s 09-11-2003 12:07 PM

file transfer over ssh restrict directory browsing
Hi everyone,

I'm arelative newbie to linux (6 months) and i have a question about transferring files.

I have set up a RedHat 9 box and can successfully connect to it using ssh and transfer files using winSCP from a windoze box

I want to be able to give accounts to users so they can transfer files to a folder over ssh but not be able to browse outside that folder for example

The folder structure is as follows



So when usera connects they will be in the folder /transfers/usera by default and can upload files there but they should not be able to change the dir to /transfers or to / or browse any other folders.

Is this possible?

trickykid 09-11-2003 12:20 PM

man chroot

And its also a good idea to give them a non working shell as well.

Add something like /bin/false to your /etc/shells and assign that as their valid shell in /etc/passwd. This will disable them from logging in thru other means or services you have enabled, like ssh, telnet and so on..

unSpawn 09-11-2003 12:41 PM

Have a look at

niall0s 09-11-2003 12:49 PM

Thanks for the quick reply trickykid but im still a bit lost here

i can only run chroot as root so how do i set the root / dir for each user to be their home directory, or am i missing the point here?

Also when i change their shell to /bin/false they can now longer login to the box to transfer files, as i mentioned they are currently using winSCP or is there a better way to transfer files?

I know i'm missing something here and i'd really appreciate it if you could give me an a-z for setting this up correctly

Eqwatz 09-11-2003 02:38 PM

Look into the security for FTP--the secure shell version. It does involve chroot and other stuff, but it has been documented so many times by different people that the docs are getting understandable even to me.

Sorry I can't remember the name for the secure-shell version of FTP.

google it. There is also a client for windows. There is an open source one. You shouldn't have to pay. Once you get the name of it from google--google it. That should get you the documentation and downloads for it.

(The reason I mentioned this is that the Howto documentation goes into depth about the use of chroot I read the chroot documentation and it left me more confused than when I started.)

Eqwatz 09-11-2003 02:39 PM

Eqwatz 09-11-2003 03:05 PM

Also, just like in Win2K, you have group and user permissions which you can set for their logon to your RH machine.

chroot for that group--if the set up of this is done properly, a student shouldn't be able to go above the "/./" directory. And you can pick the specific commands that they can run. They should not be able to run any shell scripts.

Owner/creator of the folders and files=student-group.

This means that you have to put yourself in as a member of the group (setting up groups is done as root.) Then, logging in on your non-root user account: create the directories and files.

Group permissions set to rwx on directory (owner and group only), rw- (no execute) on files (owner only). Others in the group could see the directory but not have access to the files.

A directory created by the student account to be seen by no one but root and the student (root can see anything) The permissions of rwx are for the owner only. Thus, anything in that account can only be seen by the owner of the directory. If another user can guess directoryname/filename--he will be able to see it unless the individual file permissions are set.

Read up on file permissions and write the stuff in your own words. I find the man-pages and Info pages confusing until I write it down. Even then I might have to do it several times to gain understanding. (I may be confused now.)

Eqwatz 09-11-2003 03:19 PM

A new login non root-user account, with only membership to student group would be the surest way to keep from buggering up the permissions on the folders and such.

Just set-up a back-up set updated by cron every few minutes to protect the files from deletion. NO BLOODY LINKS.

You can even script an auto-magic recovery with cron and two bash scripts.

If you want to be truely evil-you can script an auto-matic e-mail generated by the need to recover the files with the name of the user who deleted them and the time of deletion--so they can check to see if any of their work is missing. Mwah-ha-ha-ha!!!!!!!!!!

Eqwatz 09-11-2003 03:22 PM

Did I imply that the new user accounts (ie. the students) would only have membership to the student group strongly enough???

trickykid 09-11-2003 03:35 PM


Originally posted by Eqwatz
Did I imply that the new user accounts (ie. the students) would only have membership to the student group strongly enough???

Just a reminder, you know we have an edit button to add anything or edit your threads, no need to keep adding new posts.. ;)

Eqwatz 09-11-2003 03:37 PM

OOPS! If you want the students to have their own /home after you set-up their account create the folders with their own account. and set the permissions to rwx for the owner only.

If you want to do it the really easy way.

Google: community college computer science "intro to unix" or "Scripting for the web" or "intro to linux". Get the prof's name, ply him with praise/beer and get a copy of his set-up and scripts.

They automate all of the accounts and their creation/destruction for each semester. A few edits on a copy of the student list, three commands and you are done.

[[ I didn't notice the edit button. MY BAD. Sorry.]]

I am unfamiliar with chrootssh--and when I checked at the time it was a dead link. If you copy too much below /./ you can end up defeating the purpose by duplicating /. Frankly, chroot scared me because I always got confused or fell asleep while reading the docs. When you figure it out, please post it. Maybe if you explain it--I'll "get" it.

(My little brain cells start committing suicide when I read certain docs. I have to use cp -dpvR instead of cpio or dump because of that.)

niall0s 09-11-2003 03:50 PM

Eqwatz, thanks for all the info but lay off the speed ;)

As unSpawn suggested i went to and installed chrootssh

Now the problem im having is i cannot get chroot to work correctly if i type chroot /transfers i get the error /bin/bash no such file or directory, i copied /bin/bash and all required libary files to /transfers/bin/bash and i still get the same error

[root@application bin]# chroot /transfers /transfers/bin/bash
chroot: /transfers/bin/bash: No such file or directory

[root@application bin]# ls -la /transfers
total 12
drwxr-xr-x 3 root root 4096 Sep 11 20:48 .
drwxr-xr-x 21 root root 4096 Sep 11 20:46 ..
drwxr-xr-x 3 root root 4096 Sep 11 20:55 bin

[root@application bin]# ls -la /transfers/bin
total 2164
drwxr-xr-x 3 root root 4096 Sep 11 20:55 .
drwxr-xr-x 3 root root 4096 Sep 11 20:48 ..
-rwxr-xr-x 1 root root 626028 Sep 11 20:48 bash
drwxr-xr-x 2 root root 4096 Sep 11 20:55 lib
-rwxr-xr-x 1 root root 1536292 Sep 11 20:55
-rwxr-xr-x 1 root root 15900 Sep 11 20:54
-rwxr-xr-x 1 root root 11784 Sep 11 20:53


All times are GMT -5. The time now is 08:49 AM.