Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 10-05-2011, 05:27 PM   #1
Registered: May 2007
Posts: 114

Rep: Reputation: 15
Jailkit - SFTP users can see other user's home dirs

Hello all...

I have successfully set up Jailkit, both with FTP and SFTP users. The FTP users are fully contained in their home directories and can't see anything above them, but when I connect with WinSCP as an SFTP user, I can ascend to the "home" directory above the user's home dir and see the names of all other user's home dirs.

While I'm not able to descend into other user's home directories, I'm all but certain that customers won't appreciate their anonymity being compromised by others seeing that they're a customer of ours.

Each user's home directory has 700 perms and the jailed home directory above it has 755. I've tried reducing this to 750 but then SFTP logins fail.

Does anyone have a workaround to this issue besides setting up dedicated jails for each login?


Old 10-06-2011, 02:17 AM   #2
Registered: May 2006
Location: Brisbane, Australia
Distribution: linux
Posts: 153

Rep: Reputation: 44
FTP is a dedicated server application. Obviously JailKit modifies its behaviour appropriately.

ASIDE: FTP should no longer be used for authenticated access. Anonymous access is fine, but if used for user access then passwords could be sent across the network in the clear to any snoopers between the user and he machine.

SFTP is completely different, it connects using SSH, and runs a psuedo FTP file transfer session over that encrypted link. Much like SCP can also do file transfers. As such what modifies FTP will generally not modify SFTP behaviour.

It will not 'jailed', unless you can find a more restricted SFTP subsystem program. The subsystem program is declared in /etc/ssh/sshd_config,
and on my system is /usr/libexec/openssh/sftp-server
Old 10-06-2011, 10:53 AM   #3
Registered: May 2007
Posts: 114

Original Poster
Rep: Reputation: 15
Thanks for the reply. I am aware of the differences between FTP and SFTP and what the shortcomings in the FTP protocol are. Jailkit doesn't modify the behavior of the FTP server; it provides a different shell to the user once the user is authenticated.

My problem is with the way Jailkit allows user who have been given access to the sftp-subsystem to see the contents of their home directory's parent folder. FTP users in the same jail can't leave their home directory, so I'm trying to understand why SFTP users can. If you or anyone else have any more ideas as to what I can do to limit this behavior, I'd appreciate hearing them.
Old 10-07-2011, 08:26 AM   #4
Registered: Mar 2007
Location: Spain
Distribution: Debian
Posts: 201

Rep: Reputation: 36
If you allow sftp access to the system the you should limit access from ssh itself.

Adding the next lines to your /etc/ssh/ssdh_config will limit access

Subsystem sftp internal-sftp #/usr/lib/openssh/sftp-server
Match group yourgrouphere
ChrootDirectory /home/%u
ForceCommand internal-sftp
AllowTcpForwarding no
Old 10-09-2011, 07:48 PM   #5
Registered: May 2006
Location: Brisbane, Australia
Distribution: linux
Posts: 153

Rep: Reputation: 44
Is there some other alternatives (variation) to the internal-sftp
or other types of ssh subsystems that has been developed.

SSH has been around for a long time and I'm certain someone much have done some projects in this area.


jailkit, sftp

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
SFTP and Jailkit Darkstar274 Linux - Server 4 05-12-2010 03:42 AM
proftpd allow user to access different home dirs skylimit123 Linux - Software 1 11-26-2008 04:59 AM
how to get apache to look in users' home dirs? realthor Linux - Software 5 03-15-2006 11:08 AM
give users access to home dirs jonas73 Linux - Newbie 2 03-16-2004 02:42 AM
vsftpd: restricting users to home dirs groovin Linux - Security 6 11-25-2002 05:20 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:48 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration