83

I created the user MY_USER. Set his home dir to /var/www/RESTRICTED_DIR, which is the path he should be restricted to. Then I edited sshd_config and set:

Match user MY_USER
  ChrootDirectory /var/www/RESTRICTED_DIR

Then I restarted ssh. Made MY_USER owner (and group owner) of RESTRICTED_DIR, and chmodded it to 755. I get

Accepted password for MY_USER
session opened for user MY_USER by (uid=0)
fatal: bad ownership or modes for chroot directory component "/var/www/RESTRICTED_DIR"
pam_unix(sshd:session): session closed for user MY_USER

If I removed the 2 lines from sshd_config the user can login successfully. Of course it can access all the server though. What's the problem? I even tried to chown RESTRICTED_DIR to root (as I read somewhere that someone solved this same problem doing it). No luck..

MultiformeIngegno
  • 1,707
  • 9
  • 26
  • 32

5 Answers5

121

From the man page:

ChrootDirectory
Specifies the pathname of a directory to chroot(2) to after authentication. All components of the pathname must be root-owned directories that are not writable by any other user or group. After the chroot, sshd(8) changes the working directory to the user's home directory.

My guess is one or more of the directories on the path do not meet those requirements (my suspicion is www is owned or writable by your web user, not root).
Go back and follow the directions, ensuring that the requirements above in bold italics are met.

Syntax Error
  • 159
voretaq7
  • 80,391
  • This is driving me mad. I did "chown root:root -R /var/www" ; "chmod 775 -R /var/www/" ; "usermod -a -G root www-data". But I still can't login with MY_USER – MultiformeIngegno Mar 27 '14 at 22:30
  • Does the requirements include SUPPLEMENTARY groups (the one I added with usermod)?? If yes it's unusable.. :( – MultiformeIngegno Mar 27 '14 at 22:33
  • 1
    The requirement is on the Path Components (/, /var, /var/www, and /var/www/RESTRICTED_DIR must all meet the security requirements above). It is a true chroot (review the man page) - your user's home directory needs to exist within the chroot, as must /bin & all the other things your user will need... – voretaq7 Mar 28 '14 at 00:03
  • Some updates: the problem was /var/www/RESTRICTED_DIR had chmod 0775. I set 0755 and all errors went away. Problem is it didn't login. I solved changing Subsystem in sshd_config to Subsystem sftp internal-sftp. Now: last problem: chrooted user doesn't have write access in RESTRICTED_DIR..!! – MultiformeIngegno Mar 30 '14 at 18:00
  • 3
    Ok! Solved. I set the chrooted dir a level up. Then I gave 777 perms to the original chrooted_dir. It's working :) – MultiformeIngegno Mar 30 '14 at 18:34
  • Usually, there will be hints in sshd's log. /var/log/auth.log in Ubuntu or /var/log/secure in RHEL. – Devy Sep 08 '14 at 19:07
  • 5
    Despite what the manpage says, and even with the group set to 'root', I had to set g-w permission before it would work (Ubuntu 14.04). The manpage should say *All components of the pathname must be root-owned directories that are not writable by any other user or any group at all* sudo chown root:root -R /path/to/home; sudo chmod 755 -R /path/to/home – mmell Jan 15 '15 at 23:32
  • @mmell um... that's what the manpage says: "root-owned directories that are *not writable by any other user or group" means the "write" bit for Group and Other must* be zero. (If you find the manpage unclear however you should submit a documentation patch to the OpenBSD/OpenSSH project to improve it. Complaining about it here won't get the docs changed.) – voretaq7 Jan 16 '15 at 03:17
  • 4
    I know this is quite old, but instead of modifying the permissions for the /var/www path directly, which might break apache, you'd be far better off putting your sftp directory in another path, then using URL mapping in Apache to point to the other directory. Check the documentation here https://httpd.apache.org/docs/2.4/urlmapping.html under Files Outside DocumentRoot – Daniel Sep 03 '16 at 02:58
  • 1
    You can still give permission to another user using acl setfacl -Rd -m 'u:MY_USER:rwx' /var/www/RESTRICTED_DIR && setfacl -R -m 'u:MY_USER:rwx' /var/www/RESTRICTED_DIR – Felipe Alcacibar Sep 06 '16 at 02:31
  • 8
    This drives me crazy... If nobody excepted root has write access to it, how is the user logging in supposed to upload new files? It defeats the entire purpose why I set up sftp in the first place. – jlh Jun 26 '18 at 20:47
  • 1
    @jlh That's what I'm thinking - did you solve this dilemma? – leonheess Apr 03 '20 at 09:41
  • 3
    @jlh Just create a dir owned by your user with write perms below your chroot dir: /var/www/RESTRICTED_DIR/<youruser> – Holger Böhnke Apr 03 '22 at 09:01
47

ChrootDirectory directory must be owned by root and have 755 mode:

sudo chown root:root /var/www/RESTRICTED_DIR
sudo chmod 755 /var/www/RESTRICTED_DIR

Ok, now all files into /var/www/RESTRICTED_DIR must be owned by MY_USER, which must belong to www-data group, and have 775 mode to allow group permissions, like this:

sudo usermod -a -G www-data MY_USER
sudo chown MY_USER:www-data /var/www/RESTRICTED_DIR/*
sudo chmod 775 -R /var/www/RESTRICTED_DIR/*

NOTE: Remember is a good practice allow access only to an htdocs folder if you are configuring apache.

antonbormotov
  • 123
Guillermo Garcia
  • 571
  • 4
    Pretty sure it should be sudo usermod -a -G www-data MY_USER as the group should come after -G – sMyles Dec 21 '16 at 17:28
  • 3
    This works but I cannot upload new files to the directory, I only can modify files created before with root account and with the user ownership. – dlopezgonzalez Jan 31 '19 at 12:29
  • 1
    @dlopezgonzalez The same thing happens for me. The best solution I can come up with is to create another directory (e.g. /var/www/RESTRICTED_DIR/uploads) that is owned by the user. If this isn't ideal for you, you could relocated the ChrootDirectory and use a symlink (e.g. /var/www/RESTRICTED_DIR is a symlink that points to /sftp/uploads (where /sftp is owned by root and /sftp/uploads is owned by the user) – rinogo Feb 21 '20 at 19:02
4

In my case below steps worked.

  1. useradd -d /data/ftp/user1 -s /bin/false -g users -G sftponly user1
  2. passwd user1
  3. chown root:root /data/ftp/user1
  4. rights for group & others chmod go+rx /data/ftp/user1
  5. mkdir /data/ftp/user1/{upload,download}
  6. chown user1:users /data/ftp/user1/{upload,download}
  7. sftp user1@ipaddress_server

Check if user1 can write to /data/ftp/user1/{upload,download}

Better if user1 is only allowed sftp and not ssh access. Also the user1 should be chroot to his home director. This will help https://medium.com/tensult/configure-ftp-on-aws-ec2-85b5b56b9c94

W R
  • 41
4

After some troubleshooting today, I realized that root must also be able to write to the directories.

The following did not work:

$ ls -ld /mnt/synology03/files/
dr-xr-xr-x 1 root root 156 Oct  8 20:10 /mnt/synology03/files/
$ ls -ld /mnt/synology03
drwxr-xr-x 7 root root 4096 Oct  1 21:26 /mnt/synology03
$ ls -ld /mnt
drwxr-xr-x 6 root root 4096 Feb  8 10:01 /mnt
$ ls -ld /
drwxr-xr-x 24 root root 4096 Jan 14 09:22 /

As soon as I fixed this, my chroot started working.

$ sudo chmod 755 /mnt/synology03/files/
$ ls -ld /mnt/synology03/files/
drwxr-xr-x 1 root root 156 Oct  8 20:10 /mnt/synology03/files/
Magnus
  • 41
1

Made it work for /a/b/c/CHROOT/stuff like this:

  • a, b, c and CHROOT - root:root 755
  • stuff - root:CHROOTED_USER_GROUP 775

Then the user can login with sftp and upload files to the /stuff directory.

Nikolai Koudelia
  • 141