2

Ubuntu 14.04

I'm trying to restrict all users of a certain group to their home directory. They should be able to SFTP to the directory and read/write whatever they like within there.

I have implemented the usual solution found in all tutorials:

/etc/ssh/sshd_config

Subsystem sftp internal-sftp
Match Group users
  ChrootDirectory %h
  AllowTCPForwarding no
  X11Forwarding no
  ForceCommand internal-sftp

Restarted SSH

# service ssh restart

  • The only way this works is if their home directory is owned by root.

  • But if it's owned by root, the user can't transfer/modify files to the directory (so what's the point?).

  • If I change the owner to the user, they can no longer connect to the server via SFTP.

How to solve this problem?

The user should be able to SFTP to their home directory and do whatever they want within it.

Improve this question
4
  • 1
    If their group has full permissions for their home directory it might work e.g. chown root:users /home/myuser; chmod 770 /home/myuser Commented Nov 25, 2015 at 12:17
  • agreed: the permissions for the chroot (in particular dev and bin directories) has to be restricted, but home-directories under the chroot can be whatever makes sense. Commented Nov 25, 2015 at 12:19
  • @gogoud I tried that, it doesn't work. User still can't connect on SFTP. Commented Nov 25, 2015 at 12:24
  • Replace ChrootDirectory %h by ChrootDirectory /home/%u A good HOWTO Jail SFTP Commented Nov 25, 2015 at 12:59

1 Answer 1

Reset to default
1

I have solved this one way by creating a further sub directory in the user's home directory, which is owned by them. The home directory itself is still owned by root.

So the user can do whatever they like in their subdirectory.

Improve this answer
2
  • And, can root still access the entire server? Commented Jan 24, 2019 at 18:03
  • @BobBrunius Yes Commented Jan 30, 2019 at 17:48

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.