LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Lockdown User to Home Directory with SSH problem (https://www.linuxquestions.org/questions/linux-networking-3/lockdown-user-to-home-directory-with-ssh-problem-867703/)

manutdfan1988 03-10-2011 08:39 AM

Lockdown User to Home Directory with SSH problem
 
I am having problems setting up SFTP on a Red Hat server to clamp users down to their home directory.

I have created the user, removed /bin/bash login shell and replaced with the below in the passwd file. The user can login by sftp but can browse around the server and download any files apart from other users file. Have also assigned the user over to the sftp user group.

Code:

SFTPUser:x:515:515::/home/SFTPUser:/usr/libexec/openssh/sftp-server
Added following section to file - /etc/ssh/sshd_config

Code:


Match Group sftp
        ChrootDirectory %h
        ForceCommand internal-sftp
        AllowTcpForwarding no


d072330 03-10-2011 08:45 AM

Try this if you have VSFTP installed:

http://www.cyberciti.biz/tips/vsftp-...directory.html

agentbuzz 03-10-2011 09:33 AM

chrooting users to home directories
 
Hello,
This tutorial was written for Debian users, but the script that you have to download works for Debian, Red Hat, and SuSE:
http://www.howtoforge.com/chrooted-s...l-debian-lenny

The script creates the device nodes in the jails and copies the programs and libraries to the jail.

There is a bug in the script, and you have to make lines 406 and 407 look like the following (without the line numbers, of course):
Code:

    406 TMPFILE1=`mktemp` ||  TMPFILE1="${HOME}/ldlist"; if [ -x ${TMPFILE1} ]; then mv ${TMPFILE1} ${TMPFILE1}.bak;fi
    407 TMPFILE2=`mktemp` ||  TMPFILE2="${HOME}/ldlist2"; if [ -x ${TMPFILE2} ]; then mv ${TMPFILE2} ${TMPFILE2}.bak;fi

Also, if it can't find a library (like libcap.so.1) then symlink it to the library that is being used:
Code:

lrwxrwxrwx 1 root root    16 2011-03-10 09:29 /lib/libcap.so.1 -> /lib/libcap.so.2
lrwxrwxrwx 1 root root    14 2010-08-14 12:15 /lib/libcap.so.2 -> libcap.so.2.17
-rw-r--r-- 1 root root 18888 2010-03-08 15:46 /lib/libcap.so.2.17

There should be no errors, and the script should report the following and exit:
Code:

Copying necessary library-files to jail (may take some time)
Copying files from /etc/pam.d/ to jail
Copying PAM-Modules to jail


szboardstretcher 03-10-2011 09:34 AM

Fyi: I got this to work on Fedora 14

manutdfan1988 03-11-2011 03:47 AM

Thanks for the responses;

d072330 - the only problem is that is standard FTP and I am trying to get it working using SFTP.

agentbuzz - I have followed the steps in the Enable Chrooted SFTP section which didn't require me to run the script, that was in the chrooted SSH section.

I am still having a few problems, the user can login ok but the full directory tree can be viewed, I presumed it would to cut off at the home directory node so the user cannot see anything above their own folders.

agentbuzz 03-11-2011 07:20 AM

/home/home chroot
 
manutdfan1988:
Do you mean users can browse "/home"? Did you make the symlink inside of /home?
Code:

cd /home
ln -s . home

When the user logs in, he should see the following when he's trying to look around the file system:
Code:

-bash-4.1$ ls -l /sbin
total 36
-rwxr-sr-x 1 root 42 35488 Jul  7  2010 unix_chkpwd
-bash-4.1$ ls -l /home
lrwxrwxrwx 1 root root 1 Mar 11 12:28 /home -> .
-bash-4.1$ ls -l /root
ls: cannot access /root: No such file or directory
-bash-4.1$ ls -l /boot
ls: cannot access /boot: No such file or directory

Also, you still have to do a recursive chown to the user's home directory so that the .bash_profile and other files are writable.

manutdfan1988 03-17-2011 07:57 AM

Users can browse the whole file system structure, so everything from '/' onwards.

Have just added the symlink and that seems to have made no difference.

I have also chown'ed recursively the directory and chmod'ed the directory to be 700.

Have changed it over to be Match User instead of Match Group just incase that was causing the problem, again still no luck.

Thanks

manutdfan1988 03-30-2011 10:59 AM

Still not having any luck on this tried the following link using the comment at the bottom but same as always happens, user can SFTP but can see the whole file structure on server.

https://access.redhat.com/kb/docs/DOC-34390

Any ideas would be much appreciated.

d072330 01-29-2013 03:36 PM

Sure you solved this by now but you can run vsftp on secure port according to this site:



All times are GMT -5. The time now is 12:02 PM.