Restricting a user to their home directory - not working
 

Hi there,

I am running Centos 6.7 on a server and i have been trying to set up a new user which i can then give a home directory. Initially this has worked and i can log in via sFTP and go to this directory. The problem i have is that the user i create can move back through the previous directories which i don't want.

Note i am using sFTP and not normal FTP

I can tell you some of the settings in sshd_config file:

# override default of no subsystems
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp

Match Group tester
ChrootDirectory /var/www/html/testyourwebsitenow
ForceCommand internal-sftp
AllowTCPForwarding no
X11Forwarding no

Tester is inside of a group called tester

When i visit the directory mentioned above i have the following when i check for permissions on the user tester on the console:

drwxrwxr-x. 7 tester tester 4096 Nov 17 15:10

When i check the permissions of the user called tester (the group is also called tester) i get the following:
[*****@****** testyourwebsitenow]# grep tester /etc/passwd
tester:x:500:500:Web Tester:/var/www/html/testyourwebsitenow:/bin/bash

Finally i try to log into the account via Filezilla and it won't connect. when i tried it through SSH i get the following:
[***@****** testyourwebsitenow]# sftp tester@*******.com
Connecting to testyourwebsitenow.com...
Address ******** maps to ******.setaptr.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
tester@**********.com's password:
Write failed: Broken pipe
Couldn't read packet: Connection reset by peer
[****@****** testyourwebsitenow]#

Anybody got any ideas what the issue might be which is now blocking the account from logging in? Also does anybody know what is stopping me setting it up so that the user cannot go back from the /var/www/html/testyourwebsitenow directory? The error says about a broken pipe and connection reset but i have specified in the config file to allow it haven't i?

Many thanks

Hi there,

Regarding your config, two comments:

- The "ChrootDirectory /var/www/html/testyourwebsitenow" should achieve what you want in terms of preventing the user from accessing directories higher up the tree; this will appear as "/" to him.
- The home directory of the user is relative to the chroot directory as far as I know, so probably should be changed manually to "/" or some subdirectory of the chroot directory.

Regarding the login failure, I'd suggest you configure syslog to log SSH messages to a file, and look for clues in that log file. Where I have encountered similar errors, there was usually more info in the logs. One common problem is file permissions - SSH is fussy about the owner and permissions of all directories leading up to the chroot directory.

Good luck!

If you really want to restrict a user to only the home directory, you would want to invoke BASH with rbash or bash -r.

See the BASH manual page RESTRICTED SHELL subject (near the bottom of the manual page, just above SEE ALSO.

A convenient way of doing this is simply edit /etc/passwd for that user (if you cannot define the shell when adding the user); e.g.,
Hope this helps some.

Hi tronayne,

A restricted shell solves only part of the problem. While you can't "cd" to other places for example, you can still run commands in your PATH on any file, for example "view /etc/passwd".

In this case, though, Sharkadder's requirement seems to be for SFTP access, not shell access ;-)

Hi there,

Ok so i tried to make the home directory in sshd_config to just / and it just went to the root directory. Ironically when i set it to that it allowed the user to then log in!

Having changed it back to /var/www/html/testyourwebsitenow it no longer allows permission

I have checked the /var/log/secure file and this is what it has said:
the above code shows what happened after an sftp user@mydomain.com login attempt through puTTy. the password i am using is correct. It is just the login attempt for tester you need to look at above.

Although the user owns the /var/www/html/testyourwebsitenow directory, do i need to give them access to /var/www also? I don't want to be doing this as it defeats my object of restricting them to just the one directory and not being able to go back

The permissions on the folder i am after still show ownership for tester:

[root@******* var]# ls -ld /var/www/html/testyourwebsitenow
drwxrwxr-x. 7 tester tester 4096 Nov 17 15:10 /var/www/html/testyourwebsitenow

Many thanks,

Mark

Hi,

The user needs read and execute permission to /var/www and /var/www/html, yes. This is so they can get into the target directory successfully. The chroot is done after this, though, and will restrict them from accessing these directories via SFTP.

If you end up in / when SFTP-ing into the server, or you can still PuTTY into the server, it looks like your changes to sshd_config are not working. Have you restarted sshd so they can take effect?

Hi there,

I have typed in the following code and tried this way

setfacl -m u:tester:rx /var/www/html

setfacl -m u:tester:rx /var/www/

Also i then tried to log in via sftp after a restart of the SSH:

Now when i go to log in via sFTP it brings up the confirm hash box which you get but then says could not connect to server. The SSHD log shows as follows:

Will i need to give tester group or user ownership to the directory instead? I didn't really want to do that but tried following this:
http://askubuntu.com/questions/48752...ing-w-notation

You'll see the guy says to use setfacl instead of giving them any kind of ownership to the directory. I can give them ownership if this is what is needed though but just wondered if i actually needed to do that

Many thanks,

Mark

Hi,

I've never tried this, but did a quick search, and get the impression that ACLs don't work with the SSH chroot mechanism.

The easiest way to verify this is to temporarily give the user the necessary access, either by granting o+rx permissions, or adding the user to the group that owns those directories.

Is there a reason for using that specific directory? Why not consider creating a directory in a different structure (like /var/tester/testyourwebsitenow or something) instead, and configuring your webserver (I'm guessing Apache) to serve the pages from there instead?

Regards,

Clifford

Hi Clifford,

Basically i have a test web server which is used to test out websites on. So the directory /var/www/html/testyourwebsitenow is the main directory where all of the websites go. Currently in this directory i have multiple different wordpress installs which are to be used as testing websites which can be accessed through one domain name. So when somebody goes to www.mysite.com/wordpressxx it will load the appropriate wordpress site up. That part is working but on the sFTP i don't wish the test user to be able to go out of that directory in case i give access to other people to the source files.

The settings i now have once i have made tester have permission on /var/www is as follows. I did try giving tester ownership of the /var/www directory and it still never worked, but when i make /var the home directory in SSHD_config it allows the user to log in but logs them into /var instead of the directory i want.:
for /var/www/html/testyourwebsitenow it is
Notice above that the root account is now inside of the tester group here

[root@a000066 log]# sftp tester@**********.com
Connecting to ******.com...
Address ***.***.***.*** maps to *****.setaptr.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
tester@*****.com's password:
Write failed: Broken pipe
Couldn't read packet: Connection reset by peer
[/CODE]

The secure log is showing:
Same error as before. I checked the site below who had a similar problem and the guy's solution didn't work for it. It just states that the user still cannot log in via the sFTP even though i changed the ownership to root and gave it 775 permissions

http://askubuntu.com/questions/28089...p-denies-login

From what i have read on the internet, many people are having similar problems and it just seems to be a pain to initially set up i think. Once i have an adequate solution i'll be ok. Filezilla just asks if i want to update my cached key once i type in username and password for the user, when i click yes it just disconnects saying "Software caused network abort" which is probably the same sort of message the command prompt gives me on SSH

Edit:

Sorry i also changed the home directory back a directory as follows in sshd_config now as discussed in the website above and it never worked either after a restart of the sshd:

Match Group tester
ForceCommand internal-sftp
ChrootDirectory /var/www/html
AllowTCPForwarding no
X11Forwarding no


Any other ideas?

Hi,

What are the permissions on /var/www? That seems to be where the problem is.

I'd suggest we try and distinguish between genuine permission issues & SSH issues first. To test the permissions, try and "su" from root to "tester", and then try and cd to /var/www/html/testyourwebsitenow. If that fails, try one directory at a time (cd /var; cd /var/www; etc) until you find the problem directory.

Hi Clifford

Ok what i have now tried is to change the tester's shell from /bin/false to /bin/csh and this has allowed me to log in via the su command in putty. The other shells which worked with su still allowed me to access any file or folder on the server with tester. When i did su with /bin/false it didn't change user which is why i changed it

When i log in as tester it does go into the testyourwebsitenow directory on the server as default, however the user is still able to move back through the directories go /var/www/html and /var/www. The test user can even go into /etc directory and all of the others inside of the main root folder.

the user clearly has permissions to access the whole server. In the /var/www/html/ directory the permissions to this folder now show as:
drwxrwxr-x. 7 root tester 4096 Nov 23 23:22 testyourwebsitenow

the testyourwebsitenow directory which is also owned by root inside of the tester group is showing as:
Finally the ownership of /var/www is showing as follows:
Any new ideas? Just doesn't seem to want to play. Unless the shell is causing the user to gain access to different parts of the system? When i try a ftp tester@********.com it also still says broken pipe after i type in the password. SSHD log says:

As you can probably tell i have some experience but not a massive amount with SSHd. I also read on the net some say the PAM settings might be wrong but something is clearly not allowing the user in via sFTP. If the user can go into /var/www/ does this mean the sftp command should technically work too instead of the error in the sshd log?

Hi there,

Please show me the permissions of /var/www itself (not its contents), i.e. please run "ls -ld /var/www".

Regarding the restriction of access to the desired directory, don't worry about the fact that in SSH/PuTTY you can move around outside it for now. The restriction applies to SSH only, and not to "su", which is why it seems wrong now. Changing the shell back to /bin/false later will solve this again, though.

One area we haven't explored yet, is whether SELinux might be playing a role here. You might want to explore that too ;-)

Regards,

Clifford

Hi Clifford,

shown below are the permission settings for /var/www, sorry i thought i had included that last time

I have also tried changing Selinux from enforced to permissive and also disabled from inside the sysconfig directory and still the user cannot log in via sFTP

I tried to give tester read and execute permissions on /var/www as shown below:
the execute log still shows this once i type sftp tester@****.com
I have also followed the following guides on selinux and still the same issue:
http://kmaiti-1.blogspot.co.uk/2012/...ssages-in.html
https://www.centos.org/forums/viewtopic.php?t=9009

Not sure if i am doing the selinux correctly but i just copied and pasted in the commands they showed to get it set up and finished with the command: semodule -i sftp_chroot_custom_pol.pp

Many thanks,

Mark

If you're trying to restrict file traversal for that user, disable any shell access (ie /usr/sbin/nologin). SFTP chroot won't help you there.

SFTP has a funny way of access method. I see $HOME is set to '/var/www/html/testyourwebsitenow'. The directory '/var' down to 'testyourwebsitenow' must be owned by root. You then create a new subdirectory underneath that, owned and writable by tester. You then sftp into that.

-double post-