41

Is there a simple way to restrict an SCP/SFTP user to a directory? All methods that I've come across require me to set a chroot jail up by copying binaries, but I don't think that should be necessary.

phunehehe
  • 20,240

3 Answers3

31

SSH Supports chrooting an SFTP user natively. You just need to supply

ChrootDirectory

In your sshd config file, and restart sshd.

If you are just doing sftp, then you don't have to do anything more. Unfortunately, this doesn't work for scp. For interactive shell, you will need to copy binaries, and /dev nodes into the chroot.

An example config, for just a single user, testuser:

Match User testuser
    ChrootDirectory /home/testuser
    ForceCommand internal-sftp

A few things to be aware of, from the sshd_config man page:

    All components of the pathname must be root-owned directories that are not
    writable by any other user or group.  After the chroot, sshd(8) changes the
    working directory to the user's home directory.

Search for ChrootDirectory in man sshd_config for more information.

Community
  • 1
gabe.
  • 11,784
  • 2
    Note that the part that starts with "Match User testuser" must be at the END of the file, as it will include configuration lines only if the user is "testuser" from that point on. – Magnus Oct 05 '12 at 14:10
  • 2
    Is it also possible to Chroot only for the SFTP Protocol, but to still allow normal SCP connections? – lanoxx Mar 22 '13 at 15:16
  • 2
    On my Ubuntu 14.04 machine, it was also necessary to change the Subsystem sftp /usr/lib/openssh/sftp-server line to Subsystem sftp internal-sftp -f AUTH -l VERBOSE – partofthething Sep 23 '15 at 01:41
  • 1
    @Magnus or until another Match section. – Chris Davies Jan 10 '16 at 17:21
  • After doing this, I am unable to connect to the server (Debian 10). If I do sftp testuser@myserver.com then I obtain Connection to myserver.com closed by remote host.. I tried using FileZilla but also failed: Status: Connection established, waiting for welcome message... Error: Connection timed out after 20 seconds of inactivity. Could you please help? – f10w Apr 28 '21 at 17:47
12

A chroot is a reasonably simple method. Since the operating system already has this security feature, daemon writers tend not to attempt to reimplement it.

Rssh comes with a guide on setting up a chroot jail. It's in the CHROOT file in the source distribution. In a nutshell, you need to have:

  • A few binaries, copied from the root: /usr/bin/scp, /usr/libexec/openssh/sftp-server, /usr/bin/rssh_chroot_helper
  • The libraries ({/usr,}/lib/lib*.so.[0-9]) that they use, likewise copied
  • A /etc/passwd (quite possibly not a copy but derived from the master)
  • A few devices: /dev/null, /dev/tty, and also a /dev/log socket for logging (and you need to tell your syslog daemon to listen on that socket)

Extra tip that isn't in the rssh documentation: If you need some files to be accessible in a chroot jail, you can use bindfs or Linux's mount --bind to make additional directory hierarchies from outside the jail. bindfs allows the remounted directory to have more restrictive permissions, for example read-only. (mount --bind doesn't unless you apply a kernel patch; Debian has included this patch since at east lenny but most other distributions haven't as of 2011.)

Gilles 'SO- stop being evil'
  • 829,060
7

You might want to look at scponly (or more recently, rssh); it's essentially a login shell that can only be used to launch scp or the sftpd subsystem. In the scponlyc variant it performs a chroot before activating the subsystem in question.

Shadur-don't-feed-the-AI
  • 31,260