LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 06-04-2013, 10:39 PM   #1
amitpatil
LQ Newbie
 
Registered: Jun 2013
Posts: 7

Rep: Reputation: Disabled
Create SFTP only user and allow access to already created directory


I want to create a user who can only sftp and cant ssh. There are lot of tutorials for creating sftp only users, Going through one of them article i am able to create a user who can sftp to the server, but all of the articles create a new folder and then allow access to it.
In my case i have already created folder (with lot of imp files in it) to which i want to allow access.
There are commands in the article, I just want to make sure if the same command will work for existing directory ?

What i am up to ??

1) I followed this article http://techinternets.com/chrootjailv6#7
2) I have user ready (mark) who can access /home/jail/mark
3) Now i want to allow him access to /home/admin/domains/domain.com/public_html/access

How can i do it ?

(Note: I am not a server guy, I am programmer, and hardly know unix/linux commands. )
 
Old 06-05-2013, 01:01 AM   #2
amitpatil
LQ Newbie
 
Registered: Jun 2013
Posts: 7

Original Poster
Rep: Reputation: Disabled
No one is there ???
 
Old 06-05-2013, 01:14 AM   #3
amitpatil
LQ Newbie
 
Registered: Jun 2013
Posts: 7

Original Poster
Rep: Reputation: Disabled
By reading somewhere i ran this commnd
sudo usermod -d /home/admin/domains/domain.com/public_html/assets mark

and then connected through sftp...whooooa he has got root access, i can see
i can see directories like "bin,boot,srv,var,home", this is not what i wanted

Please someone help me
 
Old 06-05-2013, 02:46 AM   #4
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 7,258
Blog Entries: 3

Rep: Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713
Forget the chroot tutorial you found above, everything you need is already provided by OpenSSH. It's built in. You can chroot SFTP users very easily by doing something like the following in sshd_config

Code:
Subsystem sftp internal-sftp

Match Group sftp-only
        ChrootDirectory %h
        AllowTCPForwarding no
        X11Forwarding no
        ForceCommand internal-sftp
That will make any member of the group 'sftp-only' only able to use SFTP inside their home directory. They will not be able to use SSH nor will they be able to see anything outside of the home directory. One gotcha is that their home directory has to be owned by root, but the files and subdirectories can be owned by them.

You can read more about SFTP in the Wikibook and then hopefully the manual pages for sshd_config(5) and sshd(8) will be more clear.
 
Old 06-05-2013, 02:59 AM   #5
amitpatil
LQ Newbie
 
Registered: Jun 2013
Posts: 7

Original Poster
Rep: Reputation: Disabled
@Turbocapitalist : thnks for the reply, article link you send is really useful, i am going through it but, can you tell me what i did wrong in my above post ? why that newly created user got access to the root folder ?
what command i have to use if i want to edit users home directory ?
 
Old 06-05-2013, 03:03 AM   #6
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 7,258
Blog Entries: 3

Rep: Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713
Steps #1 - #6 should be unnecessary in a normal Linux distro. You'll get the packages you need directly from the repository instead. It's much easier to manage the system that way. Also with the standard packages, the standard tutorials and HowTos will apply.

Step #7 points to a non-standard location for the SFTP subsystem. If you copied it verbatim, it may not work. The example I pointed to uses the built-in SFTP subsystem.

Steps #8 - #10 should be ok, but jail the user somewhere other than their home directory.
 
Old 06-05-2013, 03:29 AM   #7
amitpatil
LQ Newbie
 
Registered: Jun 2013
Posts: 7

Original Poster
Rep: Reputation: Disabled
When you say "Jail the user to some other home directory" what does it mean ? Sorry i am not linux user so i hardly know any concept (common technical words used in linux), Do you want me to make changes to the below line

Code:
mkdir /home/jail
chown root:root /home/jail
chmod 755 /home/jail
Change it to something like this ? (mkdir command will not be needed as directory already exist)

Code:
chown root:root /home/admin/domains/domain.com/public_html/assets
chmod 755 /home/admin/domains/domain.com/public_html/assets
 
Old 06-05-2013, 03:46 AM   #8
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 7,258
Blog Entries: 3

Rep: Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713
The directory specified by sshd_config's ChrootDirectory has to be owned by root and writable by no one else. The sub-directories and files therein can be owned by your user. So I'd guess you mean something like this:

Code:
chown root:root /home/admin/domains/domain.com/
chown -R someuser:someuser /home/admin/domains/domain.com/public_html
And then include in sshd_config a matching line:

Code:
ChrootDirectory /home/admin/domains/domain.com/
Notice that the subdirectory public_html is writable by the user and thus is not included in the chrootdirectory directive.

About the concepts, chroot is a way of isolating part of the file system by pretending that the one part is the root (top-level) of the system. The 'jail' is a name for the part that is being isolated.

The same concepts apply in the other systems like the BSDs and OS X.
 
Old 06-05-2013, 03:54 AM   #9
amitpatil
LQ Newbie
 
Registered: Jun 2013
Posts: 7

Original Poster
Rep: Reputation: Disabled
I will try these two command, But before that i want to ask one important question,
I have files in
Code:
/public_html
question is : will that commands affect the files inside the folder ?
 
Old 06-05-2013, 03:59 AM   #10
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 7,258
Blog Entries: 3

Rep: Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713
If you set up an SFTP only chrooted directory then

/home/admin/domains/domain.com/public_html

will appear as

/domain.com/public_html

to the chrooted sftp user during the time they are using SFTP.

To the other users, especially regular system users, it will appear as

/home/admin/domains/domain.com/public_html

So even if the directory is chrooted for certain SFTP users, you as administrator will still be able ot access it as a regular directory with all programs and "commands":

/home/admin/domains/domain.com/public_html

The contents inside that directory are not affected one way or another, just access to the directories is affected.
 
Old 06-05-2013, 04:12 AM   #11
amitpatil
LQ Newbie
 
Registered: Jun 2013
Posts: 7

Original Poster
Rep: Reputation: Disabled
@Turbocapitalist : Thanks for the help, I will give it a try.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] How to create a user, who can access only his home directory suresh.k Linux - Newbie 7 09-14-2012 07:25 AM
Suddenly can't ssh/ sftp with initially created user ashamanmiller Linux - Software 4 07-24-2012 11:34 PM
Can sftp into root account, but not created user? ashamanmiller Linux - Server 23 02-04-2012 11:51 AM
How to create SSH user without access to root directory victorsk Linux - Networking 1 08-07-2009 06:56 PM
how to create sftp user only in red hat 4 not ftp user ..only sftp user princeu28 Linux - Newbie 1 10-14-2008 08:10 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 12:16 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration