41

Is there a simple way to restrict an SCP/SFTP user to a directory? All methods that I've come across require me to set a chroot jail up by copying binaries, but I don't think that should be necessary.

Improve this question

3 Answers 3

Reset to default
31

SSH Supports chrooting an SFTP user natively. You just need to supply

ChrootDirectory

In your sshd config file, and restart sshd.

If you are just doing sftp, then you don't have to do anything more. Unfortunately, this doesn't work for scp. For interactive shell, you will need to copy binaries, and /dev nodes into the chroot.

An example config, for just a single user, testuser:

Match User testuser
    ChrootDirectory /home/testuser
    ForceCommand internal-sftp

A few things to be aware of, from the sshd_config man page:

    All components of the pathname must be root-owned directories that are not
    writable by any other user or group.  After the chroot, sshd(8) changes the
    working directory to the user's home directory.

Search for ChrootDirectory in man sshd_config for more information.

Improve this answer
5
  • 2
    Note that the part that starts with "Match User testuser" must be at the END of the file, as it will include configuration lines only if the user is "testuser" from that point on. Commented Oct 5, 2012 at 14:10
  • 2
    Is it also possible to Chroot only for the SFTP Protocol, but to still allow normal SCP connections? Commented Mar 22, 2013 at 15:16
  • 2
    On my Ubuntu 14.04 machine, it was also necessary to change the Subsystem sftp /usr/lib/openssh/sftp-server line to Subsystem sftp internal-sftp -f AUTH -l VERBOSE Commented Sep 23, 2015 at 1:41
  • 1
    @Magnus or until another Match section. Commented Jan 10, 2016 at 17:21
  • After doing this, I am unable to connect to the server (Debian 10). If I do sftp [email protected] then I obtain Connection to myserver.com closed by remote host.. I tried using FileZilla but also failed: Status: Connection established, waiting for welcome message... Error: Connection timed out after 20 seconds of inactivity. Could you please help? Commented Apr 28, 2021 at 17:47
12

A chroot is a reasonably simple method. Since the operating system already has this security feature, daemon writers tend not to attempt to reimplement it.

Rssh comes with a guide on setting up a chroot jail. It's in the CHROOT file in the source distribution. In a nutshell, you need to have:

  • A few binaries, copied from the root: /usr/bin/scp, /usr/libexec/openssh/sftp-server, /usr/bin/rssh_chroot_helper
  • The libraries ({/usr,}/lib/lib*.so.[0-9]) that they use, likewise copied
  • A /etc/passwd (quite possibly not a copy but derived from the master)
  • A few devices: /dev/null, /dev/tty, and also a /dev/log socket for logging (and you need to tell your syslog daemon to listen on that socket)

Extra tip that isn't in the rssh documentation: If you need some files to be accessible in a chroot jail, you can use bindfs or Linux's mount --bind to make additional directory hierarchies from outside the jail. bindfs allows the remounted directory to have more restrictive permissions, for example read-only. (mount --bind doesn't unless you apply a kernel patch; Debian has included this patch since at east lenny but most other distributions haven't as of 2011.)

Improve this answer
7

You might want to look at scponly (or more recently, rssh); it's essentially a login shell that can only be used to launch scp or the sftpd subsystem. In the scponlyc variant it performs a chroot before activating the subsystem in question.

Improve this answer
1
  • scponly seems deprecated, at least in Ubuntu Commented Aug 26, 2016 at 10:44

You must log in to answer this question.