CentOS 6.3 sftp chroot jail

CHIadam · 09-19-2012, 02:17 PM

Forget the jailkit idea.. I almost have this completely figured out:

Quote:

Originally Posted by CHIadam

however when I sftp from another box I get this:
sftp> lpwd
Local working directory: /root
This is confusing too.. it let me list the /root contents
sftp> lls
anaconda-ks.cfg install.log.syslog
IBM_Informix_Software_Bundle_InstallLog.log multicast-listener-v2

Then when I do this, I get this!:
sftp> ls -l
drwxr-xr-x 2 500 503 4096 Sep 19 13:26 upload
sftp>

Ok so my buddy who is a far better linux wizard than I am made me realize that lls and lpwd are local (not server).. so that clears up that confusion.

Looks like I just need to sort out the permissions, I'll post once i get that right. I'm sure this will help someone else out there in the future

CHIadam · 09-24-2012, 05:12 PM

I wound up switching over to RHEL 6.0 for an unrelated reason, did the same thing below and set selinux = 0 and it works.

Here is all of my steps, I bet this works on 6.3 CentOS too:

[root@sftp home]# groupadd sftponly
[root@sftp home]# useradd -d /home/user1 -s /bin/false -G sftponly user1
[root@sftp home]# vi /etc/ssh/sshd_config
Comment this out --> Subsystem sftp /usr/libexec/openssh/sftp-server
Add this below it --> Subsystem sftp internal-sftp

#add this to the bottom of the config file

Match Group sftponly
ChrootDirectory /home/%u
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp

[root@sftp home]# service sshd restart

[root@sftp home]# chown root:root user1
[root@sftp home]# chmod 755 user1
[root@sftp home]# mkdir uploads
[root@sftp home]# chmod 700 uploads

nishfish · 12-08-2012, 02:27 PM

CHIadam,

Thanks for the posting. Very useful and I can confirm the same works for 6.3, although I think there may be one step you are missing in the previous summary. (I think this is because you "fixed" it in an earlier step)

Once you create the uploads directory, not only do you need to chmod it as suggested but you also need to chown it.

For example:

chown root:root user1
chmod 755 user1
cd user1
mkdir uploads
chown user1:user1 uploads
chmod 700 uploads

fwiw, anyone trying to get a chroot working with vsftpd and ssh, it does not appear to work, but CHIadam's steps will definitely work as a true chroot jail with ssh, with readonly to '/' and read/write to '/uploads'

crwdawg · 01-03-2013, 06:44 PM

This absolutely worked for me, once.
I setup a CentOS 6.3 server and tried several things with VSFTPD before finding this post. After proving it worked, I reloaded to CentOS 6.3 minimal and followed steps and it is not working.
The only thing I did differently the 2nd time was add an uploads folder to /etc/skel so each user I created would already have the /home/%u/uploads folder with their user having the permissions. I then changed /home/%u to be owned by root with 755. I cannot upload a file to the uploads folder, even after changing uploads to 700. Here are permissions as currently set:

[root@localhost ~]# ll /home/
total 20
drwx------. 2 root root 16384 Jan 3 11:56 lost+found
drwxr-xr-x. 3 root root 4096 Jan 3 13:15 user1
[root@localhost ~]# ll /home/user1/
total 4
drwx------. 2 user1 user1 4096 Jan 3 13:15 uploads

Any idea why it is giving me an error?

Permission denied.
Error code: 3
Error message from server: Permission denied
Request code: 3

-Thanks in advance
-Bill

crwdawg · 01-03-2013, 09:10 PM

Forgot to disable SELinux. Now it works.

Side note: Anyone know how to write an SELinux rule so I can leave it enabled and still have SFTP work?

I also found that if I chmod 700 /etc/skel/uploads it will automatically create /home/%u/uploads as the user, and have 700 permissions.

Once again, thanks for the awesome post.

-Bill

crwdawg · 01-03-2013, 09:35 PM

SELinux fix proposed by http://cassjohnston.wordpress.com/20...chrooted-sftp/

Make sure selinux allows write access to chroot’ed home directories:
setsebool -P ssh_chroot_rw_homedirs on

***They suggested that I needed to do the following also, but I found it not necessary***
I also needed to do a restorecon on the home directory to get selinux to allow sftp users to write to their uploads, directory, but I found it not necessary at this time........
restorecon -R /home/$USERNAME

Seems to be working okay now.

-Bill

linuxexplore · 02-27-2013, 02:13 AM

Add the following tail output to your Linux box’s SSH

server configuration file /etc/ssh/sshd_config.

[rahulpanwar@myhost ~]# tail -6 /etc/ssh/sshd_config
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
Match Group www-hosting
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no

Then restart sshd service to enable this configuration.

[rahulpanwar@myhost ~]# sudo /etc/init.d/sshd restart

Create Chroot Users:

[rahulpanwar@myhost ~]# sudo mkdir /etc/skel/public_html
[rahulpanwar@myhost ~]# sudo groupadd www-hosting
[rahulpanwar@myhost ~]# sudo useradd -s /sbin/nologin -g www-hosting linuxexplore.com

Setting Permissions:

[rahulpanwar@myhost ~]# sudo chown root:www-hosting /home/linuxexplore.com
[rahulpanwar@myhost ~]# sudo chmod 755 /home/linuxexplore.com

That’s all now create multiple users for web hosting, and offer the secure sftp access to your customers.
Shell Script to Create Web Hosting Users:

#!/bin/bash
HOSTING_DIR="/etc/skel/public_html"
CHROOT_GRP="www-hosting"
USR_NAME="$1"

[ ! -d "$HOSTING_DIR" ] && mkdir -p $HOSTING_DIR
grep ^"${CHROOT_GRP}:" /etc/group || /usr/sbin/groupadd www-hosting
grep ^"${USR_NAMEP}:" /etc/passwd || /usr/sbin/useradd -s /sbin/nologin -g $CHROO_GRP $USR_NAME
chown root:$CHROOT_GRP /home/$USR_NAME
chmod 755 /home/$USR_NAME

Selinux Configuration:

Disable the selinux permanently or configure it for read write user’s home directory in SSH chroot.

[rahulpanwar@myhost ~]# sudo setsebool -P ssh_chroot_rw_homedirs on
[rahulpanwar@myhost ~]# sudo restorecon -R /home/$USERNAME

For more information, it might help. Chroot SFTP CentOS 6