Sftp server/chrooted trying to limit user permissions

I needed to set up an sftp server for an external user to upload data for an internal developer.

What I did was created a chrooted user for the external guy, and then created an internal group with full permissions to that directory and then made the internal developer a member of that group so he could grab whatever he needed/etc.

My question is how can I minimize the permissions of the chrooted user so that he/she can upload ONLY, not list what's in the directory, manipulate what's already in there, etc. When I tried locking down the permissions I started running into problems - with only write and/or execute the user was not able to get into the directory, etc. Or is this a limitation with this kind of setup, namely that the chrooted user has to have elevated (rwe) permissions for this to work?

Ok,
I recently configured this on LINUX machine.

You will run all the below commands as root.

The below is required to be created/added one time only

Create a group (this is one time process)

Run the below command to create the group

# groupadd <groupname>
Ex: # groupadd sftponly ( I used sftponly as group name)

Once we create the group, we will edit the file called sshd_config, which is under

�/etc/sshd�  directory

# vi /etc/ssh/sshd_config

Go to line where it says 

Subsystem sftp xxxxxxxxx change it to below

Subsystem sftp internal-sftp

In the same file go to the bottom of the file and add the below

Match Group sftponly
 ChrootDirectory %h
 ForceCommand internal-sftp
 X11Forwarding no
 AllowTcpForwarding no

You can reload or restart the sshd Daemon
  # service sshd reload

Note: The above is one time process; it�s like sets and forgets.

Now coming to users, we have to perform the operation for each new user.

Remember the default home directory for users is /home/<username>

Creating a new user for sftp process:

Create/add a new user

# useradd <username>

Ex: # useradd sftptest ( I took sftptest user as an example)

Now, we modify the primary group of user

# usermod �aG <group> <user>

Ex: # usermod �aG sftponly sftptest

Create a upload directory under user�s home directory.

# sudo �u sftptest mkdir -pv /home/sftptest/upload

Change the file owner and group

# chown root. /home/sftptest

Change the file mode bits

# chmod 755 /home/sftptest

Change the group ownership

# chgrp -R sftponly /home/sftptest

You will repeat the same process for each user.

I hope this helps.

The ability to eXecute a directory is what allows you to cd into it.

The ability to Write to a directory is what allows you to add files to it -- as well as delete and rename them.

The ability to Read a directory is what allows you to list its contents.

It may be possible to make a write-only directory with access control lists, but ordinary rwx doesn't offer this.

You could also just give him a different folder. Nothing to stomp on or delete except his own files that way.

Yeah, but for whatever reason when I give the user only wx permissions it does not allow them to CD into the directory. I suppose it has something to do with chroot/sftp set up.

Having cd-ed into the folder, they find themselves unable to (R)ead it, which causes an error.

Usually you set a folder eXecutable but not Readable when you intend for people to chdir straight past it -- i.e. cd /restricted/folder/somethingelseinsidewhichIamallowedtouse

Sometimes you can get this sort of behavior by having a special daemon process watch the dir and move files out once they are opened, so there is nothing to see.