LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Create SFTP only user and allow access to already created directory (https://www.linuxquestions.org/questions/linux-server-73/create-sftp-only-user-and-allow-access-to-already-created-directory-4175464757/)

amitpatil 06-04-2013 10:39 PM
Create SFTP only user and allow access to already created directory
 
I want to create a user who can only sftp and cant ssh. There are lot of tutorials for creating sftp only users, Going through one of them article i am able to create a user who can sftp to the server, but all of the articles create a new folder and then allow access to it.
In my case i have already created folder (with lot of imp files in it) to which i want to allow access.
There are commands in the article, I just want to make sure if the same command will work for existing directory ?

What i am up to ??

1) I followed this article http://techinternets.com/chrootjailv6#7
2) I have user ready (mark) who can access /home/jail/mark
3) Now i want to allow him access to /home/admin/domains/domain.com/public_html/access

How can i do it ?

(Note: I am not a server guy, I am programmer, and hardly know unix/linux commands. )

amitpatil 06-05-2013 01:01 AM
No one is there ???

amitpatil 06-05-2013 01:14 AM
By reading somewhere i ran this commnd
sudo usermod -d /home/admin/domains/domain.com/public_html/assets mark

and then connected through sftp...whooooa he has got root access, i can see
i can see directories like "bin,boot,srv,var,home", this is not what i wanted :( :(

Please someone help me

Turbocapitalist 06-05-2013 02:46 AM
Forget the chroot tutorial you found above, everything you need is already provided by OpenSSH. It's built in. You can chroot SFTP users very easily by doing something like the following in sshd_config

Code:
Subsystem sftp internal-sftp

Match Group sftp-only
        ChrootDirectory %h
        AllowTCPForwarding no
        X11Forwarding no
        ForceCommand internal-sftp
That will make any member of the group 'sftp-only' only able to use SFTP inside their home directory. They will not be able to use SSH nor will they be able to see anything outside of the home directory. One gotcha is that their home directory has to be owned by root, but the files and subdirectories can be owned by them.

You can read more about SFTP in the Wikibook and then hopefully the manual pages for sshd_config(5) and sshd(8) will be more clear.

amitpatil 06-05-2013 02:59 AM
@Turbocapitalist : thnks for the reply, article link you send is really useful, i am going through it but, can you tell me what i did wrong in my above post ? why that newly created user got access to the root folder ?
what command i have to use if i want to edit users home directory ?

Turbocapitalist 06-05-2013 03:03 AM
Steps #1 - #6 should be unnecessary in a normal Linux distro. You'll get the packages you need directly from the repository instead. It's much easier to manage the system that way. Also with the standard packages, the standard tutorials and HowTos will apply.

Step #7 points to a non-standard location for the SFTP subsystem. If you copied it verbatim, it may not work. The example I pointed to uses the built-in SFTP subsystem.

Steps #8 - #10 should be ok, but jail the user somewhere other than their home directory.

amitpatil 06-05-2013 03:29 AM
When you say "Jail the user to some other home directory" what does it mean ? Sorry i am not linux user so i hardly know any concept (common technical words used in linux), Do you want me to make changes to the below line

Code:
mkdir /home/jail
chown root:root /home/jail
chmod 755 /home/jail
Change it to something like this ? (mkdir command will not be needed as directory already exist)

Code:
chown root:root /home/admin/domains/domain.com/public_html/assets
chmod 755 /home/admin/domains/domain.com/public_html/assets

Turbocapitalist 06-05-2013 03:46 AM
The directory specified by sshd_config's ChrootDirectory has to be owned by root and writable by no one else. The sub-directories and files therein can be owned by your user. So I'd guess you mean something like this:

Code:
chown root:root /home/admin/domains/domain.com/
chown -R someuser:someuser /home/admin/domains/domain.com/public_html
And then include in sshd_config a matching line:

Code:
ChrootDirectory /home/admin/domains/domain.com/
Notice that the subdirectory public_html is writable by the user and thus is not included in the chrootdirectory directive.

About the concepts, chroot is a way of isolating part of the file system by pretending that the one part is the root (top-level) of the system. The 'jail' is a name for the part that is being isolated.

The same concepts apply in the other systems like the BSDs and OS X.

amitpatil 06-05-2013 03:54 AM
I will try these two command, But before that i want to ask one important question,
I have files in
Code:
/public_html
question is : will that commands affect the files inside the folder ?

Turbocapitalist 06-05-2013 03:59 AM
If you set up an SFTP only chrooted directory then

/home/admin/domains/domain.com/public_html

will appear as

/domain.com/public_html

to the chrooted sftp user during the time they are using SFTP.

To the other users, especially regular system users, it will appear as

/home/admin/domains/domain.com/public_html

So even if the directory is chrooted for certain SFTP users, you as administrator will still be able ot access it as a regular directory with all programs and "commands":

/home/admin/domains/domain.com/public_html

The contents inside that directory are not affected one way or another, just access to the directories is affected.

amitpatil 06-05-2013 04:12 AM
@Turbocapitalist : Thanks for the help, I will give it a try.


All times are GMT -5. The time now is 10:18 PM.