I needed to set up an sftp server for an external user to upload data for an internal developer.
What I did was created a chrooted user for the external guy, and then created an internal group with full permissions to that directory and then made the internal developer a member of that group so he could grab whatever he needed/etc.
My question is how can I minimize the permissions of the chrooted user so that he/she can upload ONLY, not list what's in the directory, manipulate what's already in there, etc. When I tried locking down the permissions I started running into problems - with only write and/or execute the user was not able to get into the directory, etc. Or is this a limitation with this kind of setup, namely that the chrooted user has to have elevated (rwe) permissions for this to work?
The below is required to be created/added one time only
Create a group (this is one time process)
Run the below command to create the group
# groupadd <groupname>
Ex: # groupadd sftponly ( I used sftponly as group name)
Once we create the group, we will edit the file called sshd_config, which is under
�/etc/sshd� directory
# vi /etc/ssh/sshd_config
Go to line where it says
Subsystem sftp xxxxxxxxx change it to below
Subsystem sftp internal-sftp
In the same file go to the bottom of the file and add the below
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
You can reload or restart the sshd Daemon
# service sshd reload
Note: The above is one time process; it�s like sets and forgets.
Now coming to users, we have to perform the operation for each new user.
Remember the default home directory for users is /home/<username>
Creating a new user for sftp process:
Create/add a new user
# useradd <username>
Ex: # useradd sftptest ( I took sftptest user as an example)
Now, we modify the primary group of user
# usermod �aG <group> <user>
Ex: # usermod �aG sftponly sftptest
Create a upload directory under user�s home directory.
# sudo �u sftptest mkdir -pv /home/sftptest/upload
Change the file owner and group
# chown root. /home/sftptest
Change the file mode bits
# chmod 755 /home/sftptest
Change the group ownership
# chgrp -R sftponly /home/sftptest
Yeah, but for whatever reason when I give the user only wx permissions it does not allow them to CD into the directory. I suppose it has something to do with chroot/sftp set up.
Having cd-ed into the folder, they find themselves unable to (R)ead it, which causes an error.
Usually you set a folder eXecutable but not Readable when you intend for people to chdir straight past it -- i.e. cd /restricted/folder/somethingelseinsidewhichIamallowedtouse
Sometimes you can get this sort of behavior by having a special daemon process watch the dir and move files out once they are opened, so there is nothing to see.