Restricting a user to their home directory - not working
Hi there,
I am running Centos 6.7 on a server and i have been trying to set up a new user which i can then give a home directory. Initially this has worked and i can log in via sFTP and go to this directory. The problem i have is that the user i create can move back through the previous directories which i don't want. Note i am using sFTP and not normal FTP I can tell you some of the settings in sshd_config file: # override default of no subsystems #Subsystem sftp /usr/libexec/openssh/sftp-server Subsystem sftp internal-sftp Match Group tester ChrootDirectory /var/www/html/testyourwebsitenow ForceCommand internal-sftp AllowTCPForwarding no X11Forwarding no Tester is inside of a group called tester When i visit the directory mentioned above i have the following when i check for permissions on the user tester on the console: drwxrwxr-x. 7 tester tester 4096 Nov 17 15:10 When i check the permissions of the user called tester (the group is also called tester) i get the following: [*****@****** testyourwebsitenow]# grep tester /etc/passwd tester:x:500:500:Web Tester:/var/www/html/testyourwebsitenow:/bin/bash Finally i try to log into the account via Filezilla and it won't connect. when i tried it through SSH i get the following: [***@****** testyourwebsitenow]# sftp tester@*******.com Connecting to testyourwebsitenow.com... Address ******** maps to ******.setaptr.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! tester@**********.com's password: Write failed: Broken pipe Couldn't read packet: Connection reset by peer [****@****** testyourwebsitenow]# Anybody got any ideas what the issue might be which is now blocking the account from logging in? Also does anybody know what is stopping me setting it up so that the user cannot go back from the /var/www/html/testyourwebsitenow directory? The error says about a broken pipe and connection reset but i have specified in the config file to allow it haven't i? Many thanks |
Hi there,
Regarding your config, two comments: - The "ChrootDirectory /var/www/html/testyourwebsitenow" should achieve what you want in terms of preventing the user from accessing directories higher up the tree; this will appear as "/" to him. - The home directory of the user is relative to the chroot directory as far as I know, so probably should be changed manually to "/" or some subdirectory of the chroot directory. Regarding the login failure, I'd suggest you configure syslog to log SSH messages to a file, and look for clues in that log file. Where I have encountered similar errors, there was usually more info in the logs. One common problem is file permissions - SSH is fussy about the owner and permissions of all directories leading up to the chroot directory. Good luck! |
If you really want to restrict a user to only the home directory, you would want to invoke BASH with rbash or bash -r.
See the BASH manual page RESTRICTED SHELL subject (near the bottom of the manual page, just above SEE ALSO. A convenient way of doing this is simply edit /etc/passwd for that user (if you cannot define the shell when adding the user); e.g., Code:
userid:x:1001:100:User Name,,,:/home/userid:/bin/rbash |
Hi tronayne,
A restricted shell solves only part of the problem. While you can't "cd" to other places for example, you can still run commands in your PATH on any file, for example "view /etc/passwd". In this case, though, Sharkadder's requirement seems to be for SFTP access, not shell access ;-) |
Hi there,
Ok so i tried to make the home directory in sshd_config to just / and it just went to the root directory. Ironically when i set it to that it allowed the user to then log in! Having changed it back to /var/www/html/testyourwebsitenow it no longer allows permission I have checked the /var/log/secure file and this is what it has said: Code:
Nov 21 20:34:46 a000066 unix_chkpwd[28966]: password check failed for user (root) Although the user owns the /var/www/html/testyourwebsitenow directory, do i need to give them access to /var/www also? I don't want to be doing this as it defeats my object of restricting them to just the one directory and not being able to go back The permissions on the folder i am after still show ownership for tester: [root@******* var]# ls -ld /var/www/html/testyourwebsitenow drwxrwxr-x. 7 tester tester 4096 Nov 17 15:10 /var/www/html/testyourwebsitenow Many thanks, Mark |
Hi,
The user needs read and execute permission to /var/www and /var/www/html, yes. This is so they can get into the target directory successfully. The chroot is done after this, though, and will restrict them from accessing these directories via SFTP. If you end up in / when SFTP-ing into the server, or you can still PuTTY into the server, it looks like your changes to sshd_config are not working. Have you restarted sshd so they can take effect? |
Hi there,
I have typed in the following code and tried this way setfacl -m u:tester:rx /var/www/html setfacl -m u:tester:rx /var/www/ Also i then tried to log in via sftp after a restart of the SSH: Code:
to the address - POSSIBLE BREAK-IN ATTEMPT! Code:
http://askubuntu.com/questions/48752...ing-w-notation You'll see the guy says to use setfacl instead of giving them any kind of ownership to the directory. I can give them ownership if this is what is needed though but just wondered if i actually needed to do that Many thanks, Mark |
Hi,
I've never tried this, but did a quick search, and get the impression that ACLs don't work with the SSH chroot mechanism. The easiest way to verify this is to temporarily give the user the necessary access, either by granting o+rx permissions, or adding the user to the group that owns those directories. Is there a reason for using that specific directory? Why not consider creating a directory in a different structure (like /var/tester/testyourwebsitenow or something) instead, and configuring your webserver (I'm guessing Apache) to serve the pages from there instead? Regards, Clifford |
Hi Clifford,
Basically i have a test web server which is used to test out websites on. So the directory /var/www/html/testyourwebsitenow is the main directory where all of the websites go. Currently in this directory i have multiple different wordpress installs which are to be used as testing websites which can be accessed through one domain name. So when somebody goes to www.mysite.com/wordpressxx it will load the appropriate wordpress site up. That part is working but on the sFTP i don't wish the test user to be able to go out of that directory in case i give access to other people to the source files. The settings i now have once i have made tester have permission on /var/www is as follows. I did try giving tester ownership of the /var/www directory and it still never worked, but when i make /var the home directory in SSHD_config it allows the user to log in but logs them into /var instead of the directory i want.: Code:
[root@a000066 ~]# ls -l /var/www/ Code:
drwxrwxr-x. 7 root tester 4096 Nov 17 15:10 testyourwebsitenow [root@a000066 log]# sftp tester@**********.com Connecting to ******.com... Address ***.***.***.*** maps to *****.setaptr.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! tester@*****.com's password: Write failed: Broken pipe Couldn't read packet: Connection reset by peer [/CODE] The secure log is showing: Code:
Nov 22 22:26:10 a000066 sshd[32034]: Accepted password for tester from ***.***.***.*** port 54692 ssh2 http://askubuntu.com/questions/28089...p-denies-login From what i have read on the internet, many people are having similar problems and it just seems to be a pain to initially set up i think. Once i have an adequate solution i'll be ok. Filezilla just asks if i want to update my cached key once i type in username and password for the user, when i click yes it just disconnects saying "Software caused network abort" which is probably the same sort of message the command prompt gives me on SSH Edit: Sorry i also changed the home directory back a directory as follows in sshd_config now as discussed in the website above and it never worked either after a restart of the sshd: Match Group tester ForceCommand internal-sftp ChrootDirectory /var/www/html AllowTCPForwarding no X11Forwarding no Any other ideas? |
Hi,
What are the permissions on /var/www? That seems to be where the problem is. I'd suggest we try and distinguish between genuine permission issues & SSH issues first. To test the permissions, try and "su" from root to "tester", and then try and cd to /var/www/html/testyourwebsitenow. If that fails, try one directory at a time (cd /var; cd /var/www; etc) until you find the problem directory. |
Hi Clifford
Ok what i have now tried is to change the tester's shell from /bin/false to /bin/csh and this has allowed me to log in via the su command in putty. The other shells which worked with su still allowed me to access any file or folder on the server with tester. When i did su with /bin/false it didn't change user which is why i changed it When i log in as tester it does go into the testyourwebsitenow directory on the server as default, however the user is still able to move back through the directories go /var/www/html and /var/www. The test user can even go into /etc directory and all of the others inside of the main root folder. the user clearly has permissions to access the whole server. In the /var/www/html/ directory the permissions to this folder now show as: drwxrwxr-x. 7 root tester 4096 Nov 23 23:22 testyourwebsitenow the testyourwebsitenow directory which is also owned by root inside of the tester group is showing as: Code:
drwxrwxr-x. 5 root tester 4096 Nov 15 14:39 wordpress** Code:
[root@a0000665 html]# ls -l /var/www/ Code:
Nov 24 00:26:18 a000066 sshd[19322]: Accepted password for tester from ***.***.***.*** port 54751 ssh2 |
Hi there,
Please show me the permissions of /var/www itself (not its contents), i.e. please run "ls -ld /var/www". Regarding the restriction of access to the desired directory, don't worry about the fact that in SSH/PuTTY you can move around outside it for now. The restriction applies to SSH only, and not to "su", which is why it seems wrong now. Changing the shell back to /bin/false later will solve this again, though. One area we haven't explored yet, is whether SELinux might be playing a role here. You might want to explore that too ;-) Regards, Clifford |
Hi Clifford,
shown below are the permission settings for /var/www, sorry i thought i had included that last time Code:
[root@a000066 sysconfig]# ls -ld /var/www I tried to give tester read and execute permissions on /var/www as shown below: Code:
[root@a000066 www]# ls -ld /var/www Code:
Nov 24 22:02:59 a000066 sshd[24860]: Accepted password for tester from ***.***.***.*** port 54784 ssh2 http://kmaiti-1.blogspot.co.uk/2012/...ssages-in.html https://www.centos.org/forums/viewtopic.php?t=9009 Not sure if i am doing the selinux correctly but i just copied and pasted in the commands they showed to get it set up and finished with the command: semodule -i sftp_chroot_custom_pol.pp Many thanks, Mark |
If you're trying to restrict file traversal for that user, disable any shell access (ie /usr/sbin/nologin). SFTP chroot won't help you there.
SFTP has a funny way of access method. I see $HOME is set to '/var/www/html/testyourwebsitenow'. The directory '/var' down to 'testyourwebsitenow' must be owned by root. You then create a new subdirectory underneath that, owned and writable by tester. You then sftp into that. |
-double post-
|
All times are GMT -5. The time now is 11:23 PM. |