Mailing List Archive: Sftp Chroot and directory permissions within Chroot

Sftp Chroot and directory permissions within Chroot

Jan 22, 2009, 9:15 AM

Post #1 of 4 (5994 views)

I've got a chrooted SFTP setup that, for the most part, is working as
designed. I have the following in my sshd config file:

Match group sftponly
ChrootDirectory /var/chroot/sftp
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

The permissions on /var/chroot/sftp are:

drwxr-xr-x 16 root root 4096 2009-01-21 11:32 var
drwxr-xr-x 4 root root 4096 2009-01-20 09:45 chroot
drwxr-xr-x 7 root root 99 2009-01-22 09:47 sftp

I have sftp accounts set up as such:

user1:x:1002:1004:SFTP Account,,,:/user1:/bin/bash
user2:x:1002:1004:SFTP Account2,,,:/user2:/bin/bash

The chroot itself is working fine. When these accounts sftp, they are
placed in to the directory path /var/chroot/sftp/account_name where they
are able to successfully upload and download. Furthermore, they are
successfully jailed inside /var/chroot/sftp.

I have the permissions set on the home directories as such:
drwxr-x--- 2 user1 root 6 2009-01-21 15:58 user1
drwxr-x--- 2 user2 root 21 2009-01-21 15:54 user2

The problem I'm having is that when user1 (for example) establishes an
sftp session, they can issue the following commands:

shell:~$ sftp user1@sftp_machine
Connecting to sftp_machine...
user1@sftp_machine's password:
sftp> pwd
Remote working directory: /user1
sftp> cd ..
sftp> ls
user1 user2
sftp> cd user2
sftp> pwd
Remote working directory: /user2
sftp> ls
Couldn't get handle: Permission denied
sftp>

Now, thankfully, the 750 permissions are preventing the user from
getting a listing of the contents of the second user's directory. But
why is the first user allowed to enter the second user's directory?

One more thing, this is not just happening with user1. It is possible
with all of the sftp accounts on this machine. Also, if I change the
home directory permissions from 750 to 700, the problem persists.

Finally, I should add that, if pertinent, this machine is running Debian
Lenny and is running Debian's package of openssh -- version 5.1p1

Can anybody explain what I am doing wrong?

Thanks,
Bryan

--
Bryan K. Walton Division of Physiologic Imaging
Systems Administrator University of Iowa Hospitals and Clinics

Re: Sftp Chroot and directory permissions within Chroot [ In reply to ]

martins.listz at gmail

Jan 23, 2009, 5:29 AM

Post #2 of 4 (5838 views)

Permalink

On Thu, 2009-01-22 at 11:15 -0600, Walton, Bryan K wrote:
> I've got a chrooted SFTP setup that, for the most part, is working as
> designed. I have the following in my sshd config file:
>
> Match group sftponly
> ChrootDirectory /var/chroot/sftp
> X11Forwarding no
> AllowTcpForwarding no
> ForceCommand internal-sftp
>
> The permissions on /var/chroot/sftp are:
>
> drwxr-xr-x 16 root root 4096 2009-01-21 11:32 var
> drwxr-xr-x 4 root root 4096 2009-01-20 09:45 chroot
> drwxr-xr-x 7 root root 99 2009-01-22 09:47 sftp
>
> I have sftp accounts set up as such:
>
> user1:x:1002:1004:SFTP Account,,,:/user1:/bin/bash
> user2:x:1002:1004:SFTP Account2,,,:/user2:/bin/bash
>
> The chroot itself is working fine. When these accounts sftp, they are
> placed in to the directory path /var/chroot/sftp/account_name where they
> are able to successfully upload and download. Furthermore, they are
> successfully jailed inside /var/chroot/sftp.
>
> I have the permissions set on the home directories as such:
> drwxr-x--- 2 user1 root 6 2009-01-21 15:58 user1
> drwxr-x--- 2 user2 root 21 2009-01-21 15:54 user2
>
> The problem I'm having is that when user1 (for example) establishes an
> sftp session, they can issue the following commands:
>
> shell:~$ sftp user1@sftp_machine
> Connecting to sftp_machine...
> user1@sftp_machine's password:
> sftp> pwd
> Remote working directory: /user1
> sftp> cd ..
> sftp> ls
> user1 user2
> sftp> cd user2
> sftp> pwd
> Remote working directory: /user2
> sftp> ls
> Couldn't get handle: Permission denied
> sftp>
>
> Now, thankfully, the 750 permissions are preventing the user from
> getting a listing of the contents of the second user's directory. But
> why is the first user allowed to enter the second user's directory?
>
> One more thing, this is not just happening with user1. It is possible
> with all of the sftp accounts on this machine. Also, if I change the
> home directory permissions from 750 to 700, the problem persists.
>
> Finally, I should add that, if pertinent, this machine is running Debian
> Lenny and is running Debian's package of openssh -- version 5.1p1
>
> Can anybody explain what I am doing wrong?
>
> Thanks,
> Bryan
>

Try this:

at sshd_config

Match group sftponly
ChrootDirectory /var/chroot/sftp/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

at /etc/passwd

user1:x:1002:1004:SFTP Account,,,:/:/bin/true
user2:x:1002:1004:SFTP Account2,,,:/:/bin/true

This is the way I've it, and works for me.

Cheers.

MartÃn

Re: Sftp Chroot and directory permissions within Chroot [ In reply to ]

bryan-walton at uiowa

Jan 28, 2009, 1:18 PM

Post #3 of 4 (5808 views)

Permalink

On Fri, Jan 23, 2009 at 11:29:27AM -0200, Martin Spinassi wrote:
> On Thu, 2009-01-22 at 11:15 -0600, Walton, Bryan K wrote:
> > I've got a chrooted SFTP setup that, for the most part, is working as
> > designed. I have the following in my sshd config file:
> >
> > Match group sftponly
> > ChrootDirectory /var/chroot/sftp
> > X11Forwarding no
> > AllowTcpForwarding no
> > ForceCommand internal-sftp
> >
> > I have sftp accounts set up as such:
> >
> > user1:x:1002:1004:SFTP Account,,,:/user1:/bin/bash
> > user2:x:1002:1004:SFTP Account2,,,:/user2:/bin/bash
> >
> > The problem I'm having is that when user1 (for example) establishes an
> > sftp session, they can issue the following commands:
> >
> > shell:~$ sftp user1@sftp_machine
> > Connecting to sftp_machine...
> > user1@sftp_machine's password:
> > sftp> pwd
> > Remote working directory: /user1
> > sftp> cd ..
> > sftp> ls
> > user1 user2
> > sftp> cd user2
> > sftp> pwd
> > Remote working directory: /user2
> > sftp> ls
> > Couldn't get handle: Permission denied
> > sftp>
> >
>
> Try this:
>
> at sshd_config
>
> Match group sftponly
> ChrootDirectory /var/chroot/sftp/%u
> X11Forwarding no
> AllowTcpForwarding no
> ForceCommand internal-sftp
>
> at /etc/passwd
>
> user1:x:1002:1004:SFTP Account,,,:/:/bin/true
> user2:x:1002:1004:SFTP Account2,,,:/:/bin/true
>
>
> This is the way I've it, and works for me.

Hi Martin,

Thanks for your email. Regarding your setup, does your setup require
the ownership of the user's directory to be root:root? According to the
documentation, everything in the ChrootDirectory must be owned by root:

" This path, and all its components, must be root-owned directories that
are not writable by any other user or group." -- from the man page for
sshd_config.

If so, how do your users write to their directory?

Thanks,
Bryan Walton

Re: Sftp Chroot and directory permissions within Chroot [ In reply to ]

martins.listz at gmail

Jan 29, 2009, 12:04 PM

Post #4 of 4 (5789 views)

Permalink

On Wed, 2009-01-28 at 15:18 -0600, Walton, Bryan K wrote:
> On Fri, Jan 23, 2009 at 11:29:27AM -0200, Martin Spinassi wrote:
> > On Thu, 2009-01-22 at 11:15 -0600, Walton, Bryan K wrote:
> > > I've got a chrooted SFTP setup that, for the most part, is working as
> > > designed. I have the following in my sshd config file:
> > >
> > > Match group sftponly
> > > ChrootDirectory /var/chroot/sftp
> > > X11Forwarding no
> > > AllowTcpForwarding no
> > > ForceCommand internal-sftp
> > >
> > > I have sftp accounts set up as such:
> > >
> > > user1:x:1002:1004:SFTP Account,,,:/user1:/bin/bash
> > > user2:x:1002:1004:SFTP Account2,,,:/user2:/bin/bash
> > >
> > > The problem I'm having is that when user1 (for example) establishes an
> > > sftp session, they can issue the following commands:
> > >
> > > shell:~$ sftp user1@sftp_machine
> > > Connecting to sftp_machine...
> > > user1@sftp_machine's password:
> > > sftp> pwd
> > > Remote working directory: /user1
> > > sftp> cd ..
> > > sftp> ls
> > > user1 user2
> > > sftp> cd user2
> > > sftp> pwd
> > > Remote working directory: /user2
> > > sftp> ls
> > > Couldn't get handle: Permission denied
> > > sftp>
> > >
> >
> > Try this:
> >
> > at sshd_config
> >
> > Match group sftponly
> > ChrootDirectory /var/chroot/sftp/%u
> > X11Forwarding no
> > AllowTcpForwarding no
> > ForceCommand internal-sftp
> >
> > at /etc/passwd
> >
> > user1:x:1002:1004:SFTP Account,,,:/:/bin/true
> > user2:x:1002:1004:SFTP Account2,,,:/:/bin/true
> >
> >
> > This is the way I've it, and works for me.
>
> Hi Martin,
>
> Thanks for your email. Regarding your setup, does your setup require
> the ownership of the user's directory to be root:root? According to the
> documentation, everything in the ChrootDirectory must be owned by root:
>
> " This path, and all its components, must be root-owned directories that
> are not writable by any other user or group." -- from the man page for
> sshd_config.
>
> If so, how do your users write to their directory?
>
> Thanks,
> Bryan Walton

Hi Bryan,

The root of sftp path is owned by root, and sub-directories owned by
users.

/home/sftpusers is owned by root:root

/home/sftpusers/user1 is owned by user1:user1
/home/sftpusers/user2 is owned by user2:user2

Hope it helps.

Cheers

MartÃn