Hi,
I configured openssh 5.1p1 for sftp server.
Here the specifications in sshd_config file:
Subsystem sftp internal-sftp
Match Group sftp
ForceCommand internal-sftp
ChrootDirectory /home/%u
AllowTcpForwarding no
When a user is logged in, he can't upload his document and he receives
this message:
carlo at Music:~$ sftp user at 213.217.147.123
Connecting to 213.217.147.123...
user at 213.217.147.123's password:
sftp> put prova
Uploading prova to /prova
Couldn't get handle: Permission denied
sftp>
Here the directory permissions:
[root at sftp-server ~]# ls -la /home/user/
total 24
drwxr-xr-x 6 root sftp 4096 Nov 10 18:05 .
drwxr-xr-x 54 root root 4096 Nov 10 16:48 ..
OK, my user is a sftp group member, and the sftp group hasn't
sufficient permissions to write in user's home directory.
I add the write permission for the sftp group:
[root at sftp-server ~]# chmod 770 /home/user/
[root at sftp-server ~]# ls -la /home/user/
total 24
drwxrwx--- 6 root sftp 4096 Nov 10 18:05 .
drwxr-xr-x 54 root root 4096 Nov 10 16:48 ..
But now the user can't access:
carlo at Music:~$ sftp user at 213.217.145.321
Connecting to 213.217.147.123...
user at 213.217.145.321's password:
Read from remote host 213.217.145.321: Connection reset by peer
Couldn't read packet: Connection reset by peer
Here the error message in /var/log/messages of sftp-server:
Nov 11 11:33:02 sftp-server sshd[10254]: Accepted password for user
from 213.217.145.329 port 38685 ssh2
Nov 11 11:33:02 sftp-server sshd[10256]: fatal: bad ownership or modes
for chroot directory "/home/user"
I get the same result if I change the ownership of user directory:
[root at sftp-server ~]# chown user.sftp /home/user/
[root at sftp-server ~]# ls -la /home/user/
total 24
drwxrwx--- 6 user sftp 4096 Nov 10 18:05 .
drwxr-xr-x 54 root root 4096 Nov 10 16:48 ..
carlo at Music:~$ sftp user at 213.217.145.321
Connecting to 213.217.147.123...
user at 213.217.145.321's password:
Read from remote host 213.217.145.321: Connection reset by peer
Couldn't read packet: Connection reset by peer
Nov 11 11:38:11 sftp-server sshd[10267]: Accepted password for user
from 213.217.145.329 port 39285 ssh2
Nov 11 11:38:11 sftp-server sshd[10269]: fatal: bad ownership or modes
for chroot directory "/home/user"
I get the same result if I change the ownership of user directory this way:
[root at sftp-server ~]# chown user.root /home/user/
What can I do in order to grant user access and allow write
permissions in his home directory?
Thanks
--
Carlo Pradissitto
Servizi e Supporto IT
I-WAY S.r.l.
Piazza Caduti di via Fani, 2
03100 Frosinone
Mobile: +393939318571
Tel/Fax: 07751880765
E-mail: c.pradissitto at i-way.it
On Tue, 11 Nov 2008, Carlo Pradissitto wrote:> Hi, > I configured openssh 5.1p1 for sftp server. > > Here the specifications in sshd_config file: > > Subsystem sftp internal-sftp > Match Group sftp > ForceCommand internal-sftp > ChrootDirectory /home/%u > AllowTcpForwarding no > > When a user is logged in, he can't upload his document and he receives > this message: > > carlo at Music:~$ sftp user at 213.217.147.123 > Connecting to 213.217.147.123... > user at 213.217.147.123's password: > sftp> put prova > Uploading prova to /prova > Couldn't get handle: Permission denied > sftp>>From the sshd_config manual page:> ChrootDirectory > Specifies a path to chroot(2) to after authentication. This path, > and all its components, must be root-owned directories that are > not writable by any other user or group.> Here the directory permissions: > > [root at sftp-server ~]# ls -la /home/user/ > total 24 > drwxr-xr-x 6 root sftp 4096 Nov 10 18:05 . > drwxr-xr-x 54 root root 4096 Nov 10 16:48 .. > > OK, my user is a sftp group member, and the sftp group hasn't > sufficient permissions to write in user's home directory.Your permissions are correct.> I add the write permission for the sftp group: > > [root at sftp-server ~]# chmod 770 /home/user/ > [root at sftp-server ~]# ls -la /home/user/ > total 24 > drwxrwx--- 6 root sftp 4096 Nov 10 18:05 . > drwxr-xr-x 54 root root 4096 Nov 10 16:48 .. > > > But now the user can't access: > > carlo at Music:~$ sftp user at 213.217.145.321 > Connecting to 213.217.147.123... > user at 213.217.145.321's password: > Read from remote host 213.217.145.321: Connection reset by peer > Couldn't read packet: Connection reset by peer > > Here the error message in /var/log/messages of sftp-server: > > Nov 11 11:33:02 sftp-server sshd[10254]: Accepted password for user > from 213.217.145.329 port 38685 ssh2 > Nov 11 11:33:02 sftp-server sshd[10256]: fatal: bad ownership or modes > for chroot directory "/home/user"Right, this is on purpose. We ban this because allowing a user write access to a chroot target is dangerously similar to equivalence with allowing write access to the root of a filesystem. If you want the default directory that users start in to be writable then you must create their home directory under the chroot. After sshd(8) has chrooted to the ChrootDirectory, it will chdir to the home directory as normal. So, for a passwd line like: djm:*:1000:1000:Damien Miller:/home/djm:/bin/ksh Create a home directory "/chroot/djm/home/djm". Make the terminal "djm" directory user-owned and writable (everything else must be root-owned). Set "ChrootDirectory /chroot" in /etc/config. A variant of this that yields less deep directory trees would be to set the passwd file up as: djm:*:1000:1000:Damien Miller:/upload:/bin/ksh Create "/chroot/djm/upload", with "upload" the only user-owned and writable component. -d
>Right, this is on purpose. We ban this because allowing a user write >access to a chroot target is dangerously similar to equivalence with >allowing write access to the root of a filesystem.Could you tell me what the *real* dangers of allowing SFTP only users to write to their directories? we've got a server with a few hundred users that we need to chroot, and would prefer not to have to change what directories they end up in, and all the users have to have their files placed in the directories by another non-root user, basically, we've got a couple hundred external customers that sftp in and either pick up, or drop off files, and an internal user process that puts the files in the directories or picks them up. changing how all those users access would take well over a year... -- MM work: 972-509-2375, mobile:469-576-1908 -------------- next part -------------- A non-text attachment was scrubbed... Name: mjmasterson.vcf Type: text/x-vcard Size: 290 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20100113/992bf694/attachment.vcf>
On Wed, 13 Jan 2010, Michael Masterson wrote:> > Right, this is on purpose. We ban this because allowing a user write > > access to a chroot target is dangerously similar to equivalence with > > allowing write access to the root of a filesystem. > > Could you tell me what the *real* dangers of allowing SFTP only users to write > to their directories?https://bugzilla.redhat.com/show_bug.cgi?id=522141 -d