-1

currently, the user connects via SFTP to the server and is placed in the files folder. Is there a way to prevent them from exiting the files folder?

sshd config for the user sftp:

Match User sftp
    ForceCommand internal-sftp -d /files/
    PasswordAuthentication no
    PubkeyAuthentication yes
    ChrootDirectory /home/sftp/uploads/
    PermitTunnel no
    AllowAgentForwarding no
    AllowTcpForwarding no
    X11Forwarding no

I know that ForceCommand internal-sftp has additional options — -P to allow, and -p to deny. However, combining them with the result I want has not worked. The closest I’ve gotten is "ForceCommand internal-sftp -d /files/ -P stat", but when I deny stat, the user can no longer download files.

Here is the full list of keys:

open, close, read, write, lstat, fstat, setstat, fsetstat, opendir, readdir, remove, mkdir, rmdir, realpath, rename, readlink, symlink, posix-rename, statvfs, fstatvfs, hardlink, fsync, lsetstat.

Has anyone faced a similar issue before? How did you solve it?

Improve this question
5
  • So why don't you chroot to files? Btw, there's nothing like "exiting folder" in SFTP. In SFTP protocol, the server does not maintain the working directory (contrary to for example FTP protocol). The working directory is simulated by the client only. The client-server talks in absolute paths only. And even if you could prevent "exiting folder", what would it be good for? Commented Feb 3 at 8:50
  • I am interested in the possibility of creating a folder without the client being able to exit it. Commented Feb 3 at 9:06
  • Sorry, that's unclear to me. Who is creating the folder? What do you think the inability to exit the folder is good for? Commented Feb 3 at 10:52
  • I create /home/sftp/uploads, this is a chroot folder, in it I create a directory "files". I make the owner of this folder sftp. So that the user can download and upload files there. I am interested in the ability to prohibit the user from leaving the "files" folder. Commented Feb 3 at 11:54
  • That does not explain why you cannot set ChrootDirectory to /home/sftp/uploads/files Commented Feb 3 at 12:21

1 Answer 1

Reset to default
0

Here's the config I use for an SFTP server that blocks chdir outside the account's home dir:

Match group sftponly
# /opt and /opt/sftp dirs can have 755 perms,
# the /opt/sftp/authorized_keys dir should have 711,
# and the files inside it should have 600.
AuthorizedKeysFile  /opt/sftp/authorized_keys/%u
ChrootDirectory     %h
AllowTCPForwarding  no
X11Forwarding       no
ForceCommand internal-sftp

SFTP-only user accounts are created in /etc/passwd and /etc/shadow. The user's home dir is set to /opt/sftp/username, and the shell is the same as some of the system accounts: /usr/sbin/nologin. The home dir is owned by root:root. There is a subdirectory under the home dir and that subdir is owned by the user with group sftponly. (on my server, the subdir is named 'upload') The authorized keys file is like the upload directory, owned by the user, group sftponly.

To explain some of the design decisions for the above config:

  • The ChrootDirectory is what prevents the sftp client from changing to a dir outside the home dir.
  • ForceCommand is the simple "internal-sftp" without arguments because that works better with the ChrootDirectory parameter. There's a note in the sshd_config man page's description of ForceCommand about this.
  • The authorized_keys file is set to a location outside the account's home dir to ensure the sftp client can't overwrite it or delete it.
  • The account's home dir is not owned by the account to ensure the sftp client can't delete the home dir or create other files/dirs in it. The client can only create/delete files/dirs in the 'upload' subdir described above. (Or any other subdir owned by username:sftponly that you put under the home dir)
  • The sftp client can create files and subdirs in the 'upload' subdir. It can even delete the 'upload' subdir, but the ownership and permissions of the home dir prevent the client from re-creating the subdir. Re-creating the subdir (or creating other subdirs in the home dir) requires intervention by a server admin.

The above configuration allows me to have ordinary ssh users (the server admins) alongside SFTP-only users, and the configurations for the different types of users don't conflict with each other.

This uses different working dirs for each SFTP user, which might not be what you're looking for. However, I think this will be helpful to you finding the config you need.

Improve this answer
4
  • Although long post, it seems to me that it boils down to ChrootDirectory, what the OP already knows about. Commented Feb 3 at 10:52
  • 1
    @MartinPrikryl There is also the dependence on the ForceCommand parameter, which the OP doesn't appear to know about. But the reason I gave so much detail is that this is a tested and working configuration which achieves the goal in the OP's question. There is also posterity - other people whose searches will find this question, even though they're looking for something that's different in a few details. A detailed answer can help them, too. Commented Feb 3 at 17:48
  • OP uses ForceCommand internal-sftp, just with -d /files/ parameter, which the sftp-server man page explicitly mentions as useful with ChrootDirectory. Commented Feb 4 at 13:11
  • @MartinPrikryl you seem to be offering me the argument you're having with the OP, and I don't know why. I haven't suggested your comment won't work. I offered the OP a configuration that works, and which even indirectly supports your suggestion that ChrootDirectory is sufficient to lock the client into the specified directory without the need for a -d /path/to/any/dir option in ForceCommand. And again, it's a config that the OP can test with, and it acknowledges it may not be exactly what he/she/they wants. Commented Feb 5 at 9:25

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.