93

I created the user MY_USER. Set his home dir to /var/www/RESTRICTED_DIR, which is the path he should be restricted to. Then I edited sshd_config and set:

Match user MY_USER
  ChrootDirectory /var/www/RESTRICTED_DIR

Then I restarted ssh. Made MY_USER owner (and group owner) of RESTRICTED_DIR, and chmodded it to 755. I get

Accepted password for MY_USER
session opened for user MY_USER by (uid=0)
fatal: bad ownership or modes for chroot directory component "/var/www/RESTRICTED_DIR"
pam_unix(sshd:session): session closed for user MY_USER

If I removed the 2 lines from sshd_config the user can login successfully. Of course it can access all the server though. What's the problem? I even tried to chown RESTRICTED_DIR to root (as I read somewhere that someone solved this same problem doing it). No luck..

MultiformeIngegno
  • 1,847

5 Answers5

128

From the man page:

ChrootDirectory
Specifies the pathname of a directory to chroot(2) to after authentication. All components of the pathname must be root-owned directories that are not writable by any other user or group. After the chroot, sshd(8) changes the working directory to the user's home directory.

My guess is one or more of the directories on the path do not meet those requirements (my suspicion is www is owned or writable by your web user, not root).
Go back and follow the directions, ensuring that the requirements above in bold italics are met.

Syntax Error
  • 159
voretaq7
  • 80,749
49

ChrootDirectory directory must be owned by root and have 755 mode:

sudo chown root:root /var/www/RESTRICTED_DIR
sudo chmod 755 /var/www/RESTRICTED_DIR

Ok, now all files into /var/www/RESTRICTED_DIR must be owned by MY_USER, which must belong to www-data group, and have 775 mode to allow group permissions, like this:

sudo usermod -a -G www-data MY_USER
sudo chown MY_USER:www-data /var/www/RESTRICTED_DIR/*
sudo chmod 775 -R /var/www/RESTRICTED_DIR/*

NOTE: Remember is a good practice allow access only to an htdocs folder if you are configuring apache.

antonbormotov
  • 123
Guillermo Garcia
  • 591
4

In my case below steps worked.

  1. useradd -d /data/ftp/user1 -s /bin/false -g users -G sftponly user1
  2. passwd user1
  3. chown root:root /data/ftp/user1
  4. rights for group & others chmod go+rx /data/ftp/user1
  5. mkdir /data/ftp/user1/{upload,download}
  6. chown user1:users /data/ftp/user1/{upload,download}
  7. sftp user1@ipaddress_server

Check if user1 can write to /data/ftp/user1/{upload,download}

Better if user1 is only allowed sftp and not ssh access. Also the user1 should be chroot to his home director. This will help https://medium.com/tensult/configure-ftp-on-aws-ec2-85b5b56b9c94

W R
  • 41
4

After some troubleshooting today, I realized that root must also be able to write to the directories.

The following did not work:

$ ls -ld /mnt/synology03/files/
dr-xr-xr-x 1 root root 156 Oct  8 20:10 /mnt/synology03/files/
$ ls -ld /mnt/synology03
drwxr-xr-x 7 root root 4096 Oct  1 21:26 /mnt/synology03
$ ls -ld /mnt
drwxr-xr-x 6 root root 4096 Feb  8 10:01 /mnt
$ ls -ld /
drwxr-xr-x 24 root root 4096 Jan 14 09:22 /

As soon as I fixed this, my chroot started working.

$ sudo chmod 755 /mnt/synology03/files/
$ ls -ld /mnt/synology03/files/
drwxr-xr-x 1 root root 156 Oct  8 20:10 /mnt/synology03/files/
Magnus
  • 41
2

Made it work for /a/b/c/CHROOT/stuff like this:

  • a, b, c and CHROOT - root:root 755
  • stuff - root:CHROOTED_USER_GROUP 775

Then the user can login with sftp and upload files to the /stuff directory.

Nikolai Koudelia
  • 161