LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   sftp and chroot on raspbian (https://www.linuxquestions.org/questions/linux-newbie-8/sftp-and-chroot-on-raspbian-4175625007/)

TwelveKanaw 03-05-2018 05:25 PM

sftp and chroot on raspbian
 
Using Raspbian (stretch) on Pi 3b. Exploring SSH, sftp, and editing /etc/sshd_config.

I'd like to use sftp in the following way: 1) make a group for sftp users and make user accounts for the purpose (the easy part, - and this is done) 2) jail all the users by group in their home directories using Chroot and 3) nonetheless, allow them to follow a symlink to attached NTFS storage.

This sounds contradictory and I expect that it is but what do I know?

I can easily create the group and users and I understand that Chroot requires root ownership of all directories in the path to the jail. So far, so good. I can jail them by user or group with, for example, these lines in sshd_config:

Match group <group>
ChrootDirectory %h

This jails them (I'm aware that Chroot is not really secure but it meets my needs) but a symbolic link to the external storage is not resolvable.

Is this even possible? Is there a way to produce the same effect? I aim to end up with a standard user account that's only for sftp purposes, can read and possibly write, and is restricted to browsing a shared folder. This attempt is the way that occurred to me first.

I'd be glad to learn 6 ways to do this but one would be nice, too.

Thanks.

AwesomeMachine 03-06-2018 12:15 AM

What happens when you try to follow the link to attached storage?

TwelveKanaw 03-06-2018 01:26 AM

I'm testing the ftp connection from my Android phone using Solid Explorer with the ftp plugin. Rather than following the link, Solid asks what program to use to open the file and offers a list of choices, all things like picture viewers or word file programs. Without the Chroot restriction in sshd_config, the ftp client follows the link to the external storage and everything proceeds in normal ftp fashion. This would be useful if the whole Pi file system wasn't wide open as well without Chroot. I attempted to download the link - just to see what would happen - and got an error message.


All times are GMT -5. The time now is 01:41 PM.