LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 02-12-2019, 02:45 PM   #1
skilli
LQ Newbie
 
Registered: Sep 2017
Posts: 9

Rep: Reputation: Disabled
Restrict one user to single directory


Hi, all,

Firstly, my actual question: How do I restrict a user to only have SFTP access to a single directory and its children?

Secondly, what I've tried:
  1. Configuring the user's shell to be /usr/sbin/nologin
  2. Set the user's home directory to be the path I want
  3. Configured a "Match User" setting in sshd_config with the ChrootDirectory set to the parent of the directory I want to lock the user into.

When I log in with this user, I'm instantly kicked out. When I check my journalctl output, I see this message:
Code:
bad ownership or modes for chroot directory component
A bit of Googling tells me that I have to make sure root owns the Chroot'ed directory and all the directories above it. That last bit is a problem for me. This directory is in an archive directory that a lot of users have access to. Users within our intranet actually need access to the specific directory I'm trying to chroot this "untrusted" user into.

Is there some way I can configure this to not require root to own all the directories above it? Is there another solution to restrict the user other than using this ChrootDirectory option? Is there some other option all together?
 
Old 02-12-2019, 02:57 PM   #2
business_kid
LQ Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware & Android
Posts: 9,775

Rep: Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044
This is evil, and perhaps messy, but could you chroot him to some directory?
 
Old 02-12-2019, 03:03 PM   #3
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 3,671
Blog Entries: 3

Rep: Reputation: 1645Reputation: 1645Reputation: 1645Reputation: 1645Reputation: 1645Reputation: 1645Reputation: 1645Reputation: 1645Reputation: 1645Reputation: 1645Reputation: 1645
You can chroot them to a directory owned by root, and not writable by anyone else, but containing a subdirectory which is bind mounted to the other read-write directory hierarchy.

Code:
man sshd_config
man mount
 
Old 02-12-2019, 03:21 PM   #4
skilli
LQ Newbie
 
Registered: Sep 2017
Posts: 9

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by business_kid View Post
This is evil, and perhaps messy, but could you chroot him to some directory?
Hi, business_kid, thanks for responding. I tried configuring a chroot in sshd_config but the "directories owned by root" restriction makes that impossible with my current setup (I think?). When I Google chroot'ing in general, I get a lot of stuff about locking users' shell and X sessions into a "fake" root system, but I'm trying to restrict the user to just sftp access. Is there another way to setup a chroot for this scenario?
 
Old 02-12-2019, 03:21 PM   #5
skilli
LQ Newbie
 
Registered: Sep 2017
Posts: 9

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Turbocapitalist View Post
You can chroot them to a directory owned by root, and not writable by anyone else, but containing a subdirectory which is bind mounted to the other read-write directory hierarchy.

Code:
man sshd_config
man mount
Interesting idea; I'll try it out when I get back onto the server in an hour or two and see if that works.
 
Old 02-13-2019, 05:41 AM   #6
business_kid
LQ Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware & Android
Posts: 9,775

Rep: Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044
IIRC, if the directory is read only (644), the 'directory owned by root' applies.

But if there's a 5 for the user (e.g. 755) a user can cd into it ok. Don't leave binaries lying around for him to play with
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
PHP: restrict script to one dir & and to one user knockout_artist Linux - Newbie 1 01-21-2010 10:44 PM
Restrict user to one directory only??? xanthaos Linux - Security 4 01-10-2010 07:14 AM
Restrict a user to only have access to ONE single folder. colltek Linux - Newbie 4 01-30-2009 11:41 AM
how to restrict user for just one directory? J0sep Linux - Security 5 12-02-2008 05:49 PM
how to restrict one particular user to access one particular folder? Xeratul Linux - Newbie 6 02-06-2007 02:01 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 05:16 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration