2

I want to create an account for my friend on my computer, but I don't want my friend to be able to view all my files. I saw that with OpenSSH, there is an option for that.

Inside the SSHD configuration file:

/etc/ssh/sshd_config

With the line:

ChrootDirectory /home/%u

However, the user home directory needs to be owned by root. Is that a bad thing? Are there any consequences or repercussions if admin owns the directory?

I tagged this question for 2 distributions and FreeBSD, since I use them all. I'm wondering if maybe the requirement of root owning the user home directory will be different between distributions and/or OS.

George M
  • 13,959
user1115057
  • 815
  • Is there a reason you don't use the standard file permissions? Linux/Unix was designed to be multi-user, and has the ability to easily grant or deny access to some or all of your directories with permissions for you, your group, and everyone else. Just make sure you don't add your friend to the sudoers list. – Marty Fried Apr 21 '12 at 22:53

2 Answers2

4

You're misunderstanding chroot somewhat; it's not simply hiding stuff, that directory actually becomes / for the session. You need to provide a reasonably complete system image (/etc, /bin, /lib, etc.) beneath it, or nothing will work (in particular, the user won't have a shell to run). root needing to own the new / is a consequence of this: anyone else owning the filesystem root would be an obvious security issue.

geekosaur
  • 32,047
1

To answer your specific question, root must own the user home directory for the chroot provided by SSHD to work correctly. If the home directory is not owned by root, the user will be able to exit the directory when they connect via sftp.

There is no downside to root owning the user directory if the user is only connecting with sftp. However, if the user is also connecting another way (such as ssh) and being granted a shell, then you should use another solution, like the restricted shell rssh.

Community
  • 1
George M
  • 13,959