3

I need to grant access via SFTP to a specific folder with full write permissions from the root of this folder. I made it work but can't figure out a way to provide write permission on the / of the root.

I read that the common way to solve this is just to create a subfolder for each user but this one contains existing files which are used all around the website.

In short :

/ should not be readable (this is correct)
/uploads/ is not writable (**but should** by any means)
/uploads/* is writable (and should)

This is what I have done so far :

/var/www/uploads is owned by root:root with 755 permissions. (775 prevents user to even log in)
/var/www/uploads/* is owned by newuser:sftp 775 permissions.

relevant /etc/ssh/sshd_config

Match group sftp
   ChrootDirectory %h
   AllowTcpForwarding no
   X11Forwarding no
   ForceCommand internal-sftp

AllowGroups ssh-users sftp

users are created like this :

useradd -d /var/www/uploads -m newuser -g sftp -s /bin/false

Thank's a lot!

Improve this question

2 Answers 2

Reset to default
3

I made it work but can't figure out a way to provide write permission on the / of the root.

It is not possible. The chroot directory can not be writtable by the user you are chrooting. That is a must defined in the manual page for sshd_config:

At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group.

Improve this answer
3
  • Thanks that's exactly the point. So if we cannot change the default behavior and i can't change the path, should I chroot one level down but how to prevent and ensure any access to everything else there. Commented Mar 23, 2017 at 8:56
  • 1
    In your example you have only one user. One possibility is to chroot one above, the other is to create user-writable directory inside uploads/. Commented Mar 23, 2017 at 8:58
  • Absolutly will do that in the next projects, but there is like hundreds of files directly in /var/www/uploads/ and referenced in webpages. So if I allow /var/www, I do require control over every other file than the upload folder. I can't see no way to ensure that behavior Commented Mar 23, 2017 at 9:04
1

Directories shared between users on a system should have permissions that cover access for all the users.

I tend to use 1777 on the shared directory and contents. It gives all users full access while preventing deletion by other than the files' owner.

The preceding 1 in the permission octal is the sticky bit that narrows deletion and permission change rights to the owner.

Improve this answer
1
  • Interesting, did not know about that specific set up. The problem here is that with any other settings on the parent folder than (owner root:root 755) prevents the sftp connections. Commented Mar 23, 2017 at 8:59

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.