Questions about restricting SFTP users to specific directories but giving one admin user access to all

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite
1












I've read a great number of posts about restricting SFTP users but I still have questions about some specifics (I just started using Linux on Friday). I built a server on AWS using Amazon Linux 4.9.75-1.56.amzn2.x86_64 (compatible with centOS) and went through guides here, and here to build the vsftpd server, and create users and attempt to restrict them to the directory associated with their group(s) respectively. The intended use of the FTP server is for records to be stored on by various counties (but they shouldn't know about each other), and to that end I created this path: /ftpfiles/county1files and: /ftpfiles/county2files. I created the following users:



  • admin1user

  • county1user

  • county2user

and the following user groups:



  • admin1

  • county1

  • county2

and created the following folders:



  • /ftpfiles/

  • /ftpfiles/county1files

  • /ftpfiles/county2files

In time I will add more counties but for now this is a good start. The following setup is what I want:



The admin1 user should have access to all directories contained within /ftpfiles/ (though they should not have access the root backbone behind /ftpfiles/), and all other users should only have access to their respective directory, i.e. the user county1 should only have access to the directory for county1files, and so on. County users should not ever be able to see any of the files or directories contained within ftpfiles.



What I've ended up with following the aforementioned guide (above in paragraph 1) however is three groups, one group for admin1, another for county1, and yet a third for county2. When I get on another computer and ftp in, I am able to easily back into the root directory and see every file name on the server (note I can't open any items, but I can look at the file names). This theoretically shouldn't be happening, right? I know I'm doing something wrong and not understanding how the file structures work and am hoping someone can explain it to me in detail with the knowledge that I am a complete newb. Linux should be able to easily handle what I'm trying to do - I just need some help using my specific example because I'm having trouble relating other examples to mine. Thank you in advance for your help, this forum is awesome! For reference below is a copy of the un-commented sections of my config file:



SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication no

GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes

X11Forwarding yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp internal-sftp

Match Group admin1
ChrootDirectory /ftpfiles/
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no

Match Group county1
ChrootDirectory /ftpfiles/county1files
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no

Match Group county2
ChrootDirectory /ftpfiles/county2files
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no






share|improve this question


























    up vote
    0
    down vote

    favorite
    1












    I've read a great number of posts about restricting SFTP users but I still have questions about some specifics (I just started using Linux on Friday). I built a server on AWS using Amazon Linux 4.9.75-1.56.amzn2.x86_64 (compatible with centOS) and went through guides here, and here to build the vsftpd server, and create users and attempt to restrict them to the directory associated with their group(s) respectively. The intended use of the FTP server is for records to be stored on by various counties (but they shouldn't know about each other), and to that end I created this path: /ftpfiles/county1files and: /ftpfiles/county2files. I created the following users:



    • admin1user

    • county1user

    • county2user

    and the following user groups:



    • admin1

    • county1

    • county2

    and created the following folders:



    • /ftpfiles/

    • /ftpfiles/county1files

    • /ftpfiles/county2files

    In time I will add more counties but for now this is a good start. The following setup is what I want:



    The admin1 user should have access to all directories contained within /ftpfiles/ (though they should not have access the root backbone behind /ftpfiles/), and all other users should only have access to their respective directory, i.e. the user county1 should only have access to the directory for county1files, and so on. County users should not ever be able to see any of the files or directories contained within ftpfiles.



    What I've ended up with following the aforementioned guide (above in paragraph 1) however is three groups, one group for admin1, another for county1, and yet a third for county2. When I get on another computer and ftp in, I am able to easily back into the root directory and see every file name on the server (note I can't open any items, but I can look at the file names). This theoretically shouldn't be happening, right? I know I'm doing something wrong and not understanding how the file structures work and am hoping someone can explain it to me in detail with the knowledge that I am a complete newb. Linux should be able to easily handle what I'm trying to do - I just need some help using my specific example because I'm having trouble relating other examples to mine. Thank you in advance for your help, this forum is awesome! For reference below is a copy of the un-commented sections of my config file:



    SyslogFacility AUTHPRIV
    PasswordAuthentication yes
    ChallengeResponseAuthentication no

    GSSAPIAuthentication yes
    GSSAPICleanupCredentials no
    UsePAM yes

    X11Forwarding yes
    AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
    LC_MESSAGES
    AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
    AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
    AcceptEnv XMODIFIERS
    Subsystem sftp internal-sftp

    Match Group admin1
    ChrootDirectory /ftpfiles/
    ForceCommand internal-sftp
    X11Forwarding no
    AllowTcpForwarding no

    Match Group county1
    ChrootDirectory /ftpfiles/county1files
    ForceCommand internal-sftp
    X11Forwarding no
    AllowTcpForwarding no

    Match Group county2
    ChrootDirectory /ftpfiles/county2files
    ForceCommand internal-sftp
    X11Forwarding no
    AllowTcpForwarding no






    share|improve this question
























      up vote
      0
      down vote

      favorite
      1









      up vote
      0
      down vote

      favorite
      1






      1





      I've read a great number of posts about restricting SFTP users but I still have questions about some specifics (I just started using Linux on Friday). I built a server on AWS using Amazon Linux 4.9.75-1.56.amzn2.x86_64 (compatible with centOS) and went through guides here, and here to build the vsftpd server, and create users and attempt to restrict them to the directory associated with their group(s) respectively. The intended use of the FTP server is for records to be stored on by various counties (but they shouldn't know about each other), and to that end I created this path: /ftpfiles/county1files and: /ftpfiles/county2files. I created the following users:



      • admin1user

      • county1user

      • county2user

      and the following user groups:



      • admin1

      • county1

      • county2

      and created the following folders:



      • /ftpfiles/

      • /ftpfiles/county1files

      • /ftpfiles/county2files

      In time I will add more counties but for now this is a good start. The following setup is what I want:



      The admin1 user should have access to all directories contained within /ftpfiles/ (though they should not have access the root backbone behind /ftpfiles/), and all other users should only have access to their respective directory, i.e. the user county1 should only have access to the directory for county1files, and so on. County users should not ever be able to see any of the files or directories contained within ftpfiles.



      What I've ended up with following the aforementioned guide (above in paragraph 1) however is three groups, one group for admin1, another for county1, and yet a third for county2. When I get on another computer and ftp in, I am able to easily back into the root directory and see every file name on the server (note I can't open any items, but I can look at the file names). This theoretically shouldn't be happening, right? I know I'm doing something wrong and not understanding how the file structures work and am hoping someone can explain it to me in detail with the knowledge that I am a complete newb. Linux should be able to easily handle what I'm trying to do - I just need some help using my specific example because I'm having trouble relating other examples to mine. Thank you in advance for your help, this forum is awesome! For reference below is a copy of the un-commented sections of my config file:



      SyslogFacility AUTHPRIV
      PasswordAuthentication yes
      ChallengeResponseAuthentication no

      GSSAPIAuthentication yes
      GSSAPICleanupCredentials no
      UsePAM yes

      X11Forwarding yes
      AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
      LC_MESSAGES
      AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
      AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
      AcceptEnv XMODIFIERS
      Subsystem sftp internal-sftp

      Match Group admin1
      ChrootDirectory /ftpfiles/
      ForceCommand internal-sftp
      X11Forwarding no
      AllowTcpForwarding no

      Match Group county1
      ChrootDirectory /ftpfiles/county1files
      ForceCommand internal-sftp
      X11Forwarding no
      AllowTcpForwarding no

      Match Group county2
      ChrootDirectory /ftpfiles/county2files
      ForceCommand internal-sftp
      X11Forwarding no
      AllowTcpForwarding no






      share|improve this question














      I've read a great number of posts about restricting SFTP users but I still have questions about some specifics (I just started using Linux on Friday). I built a server on AWS using Amazon Linux 4.9.75-1.56.amzn2.x86_64 (compatible with centOS) and went through guides here, and here to build the vsftpd server, and create users and attempt to restrict them to the directory associated with their group(s) respectively. The intended use of the FTP server is for records to be stored on by various counties (but they shouldn't know about each other), and to that end I created this path: /ftpfiles/county1files and: /ftpfiles/county2files. I created the following users:



      • admin1user

      • county1user

      • county2user

      and the following user groups:



      • admin1

      • county1

      • county2

      and created the following folders:



      • /ftpfiles/

      • /ftpfiles/county1files

      • /ftpfiles/county2files

      In time I will add more counties but for now this is a good start. The following setup is what I want:



      The admin1 user should have access to all directories contained within /ftpfiles/ (though they should not have access the root backbone behind /ftpfiles/), and all other users should only have access to their respective directory, i.e. the user county1 should only have access to the directory for county1files, and so on. County users should not ever be able to see any of the files or directories contained within ftpfiles.



      What I've ended up with following the aforementioned guide (above in paragraph 1) however is three groups, one group for admin1, another for county1, and yet a third for county2. When I get on another computer and ftp in, I am able to easily back into the root directory and see every file name on the server (note I can't open any items, but I can look at the file names). This theoretically shouldn't be happening, right? I know I'm doing something wrong and not understanding how the file structures work and am hoping someone can explain it to me in detail with the knowledge that I am a complete newb. Linux should be able to easily handle what I'm trying to do - I just need some help using my specific example because I'm having trouble relating other examples to mine. Thank you in advance for your help, this forum is awesome! For reference below is a copy of the un-commented sections of my config file:



      SyslogFacility AUTHPRIV
      PasswordAuthentication yes
      ChallengeResponseAuthentication no

      GSSAPIAuthentication yes
      GSSAPICleanupCredentials no
      UsePAM yes

      X11Forwarding yes
      AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
      LC_MESSAGES
      AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
      AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
      AcceptEnv XMODIFIERS
      Subsystem sftp internal-sftp

      Match Group admin1
      ChrootDirectory /ftpfiles/
      ForceCommand internal-sftp
      X11Forwarding no
      AllowTcpForwarding no

      Match Group county1
      ChrootDirectory /ftpfiles/county1files
      ForceCommand internal-sftp
      X11Forwarding no
      AllowTcpForwarding no

      Match Group county2
      ChrootDirectory /ftpfiles/county2files
      ForceCommand internal-sftp
      X11Forwarding no
      AllowTcpForwarding no








      share|improve this question













      share|improve this question




      share|improve this question








      edited Jan 15 at 18:01

























      asked Jan 14 at 21:38









      Damon McCall

      12




      12

























          active

          oldest

          votes











          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );








           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f417119%2fquestions-about-restricting-sftp-users-to-specific-directories-but-giving-one-ad%23new-answer', 'question_page');

          );

          Post as a guest



































          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes










           

          draft saved


          draft discarded


























           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f417119%2fquestions-about-restricting-sftp-users-to-specific-directories-but-giving-one-ad%23new-answer', 'question_page');

          );

          Post as a guest













































































          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?