Making ChrootDirectory directory writable by SFTP user

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












3















If a user logs into a machine via SFTP, one can make use of ChrootDirectory keyword to give an illusion that user is in a root directory. But that directory is only writable by root user. I would love for this user to have such write capabilities, and it doesn't appear that OpenSSH offers this, unless I missed something?



I am aware that that SFTP user can be given write access to any file/directory inside that ChrootDirectory, but it's not good enough. I want the user to also create/delete the files directly under that "root" directory, without the workaround of creating a subdirectory that that user has write access to.










share|improve this question




























    3















    If a user logs into a machine via SFTP, one can make use of ChrootDirectory keyword to give an illusion that user is in a root directory. But that directory is only writable by root user. I would love for this user to have such write capabilities, and it doesn't appear that OpenSSH offers this, unless I missed something?



    I am aware that that SFTP user can be given write access to any file/directory inside that ChrootDirectory, but it's not good enough. I want the user to also create/delete the files directly under that "root" directory, without the workaround of creating a subdirectory that that user has write access to.










    share|improve this question


























      3












      3








      3








      If a user logs into a machine via SFTP, one can make use of ChrootDirectory keyword to give an illusion that user is in a root directory. But that directory is only writable by root user. I would love for this user to have such write capabilities, and it doesn't appear that OpenSSH offers this, unless I missed something?



      I am aware that that SFTP user can be given write access to any file/directory inside that ChrootDirectory, but it's not good enough. I want the user to also create/delete the files directly under that "root" directory, without the workaround of creating a subdirectory that that user has write access to.










      share|improve this question
















      If a user logs into a machine via SFTP, one can make use of ChrootDirectory keyword to give an illusion that user is in a root directory. But that directory is only writable by root user. I would love for this user to have such write capabilities, and it doesn't appear that OpenSSH offers this, unless I missed something?



      I am aware that that SFTP user can be given write access to any file/directory inside that ChrootDirectory, but it's not good enough. I want the user to also create/delete the files directly under that "root" directory, without the workaround of creating a subdirectory that that user has write access to.







      ssh sftp openssh






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Jan 17 '13 at 9:13







      Tshepang

















      asked Jan 10 '13 at 8:16









      TshepangTshepang

      26.3k72186264




      26.3k72186264




















          1 Answer
          1






          active

          oldest

          votes


















          0














          I ran into the same problem with my in-house SFTP. What I did to get around this is:



          Inside your sshd_config file:



          Match group sftpusers
          ChrootDirectory %h


          Inside your /etc/groups file, add your sftp user to the sftpusers group (create it if it doesn't exist):



          sftpusers:x:6000:user1,user2


          For the ChrootDirectory, make sure you chown the directory to the following (warning be-careful of the directory that you are running this command on, make sure it is being run only on the directory that the user logs into, the -R commend means recursive, so if there are subfolder you do not wish this to command to include, remove it. Also a SFTP user should never be given access to a root level system directory like /etc, best to make a folder under something like /usr/local/alcatraz and give them access to that):



          chown -R root:sftpusers userChrootDirectory


          Chmod the directory to have the permission you desire, something like:



          drwxrws---


          If you require more information, let me know, this is just the highlights, that should get you to where you want to be.






          share|improve this answer























          • For openssh this method (adding group write permissions to the chroot directory) will not work. Quoted from the openssh (at least version 7.2) sshd_config(5) man page: "At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group."

            – Juan
            Nov 28 '17 at 21:12










          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f60859%2fmaking-chrootdirectory-directory-writable-by-sftp-user%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          I ran into the same problem with my in-house SFTP. What I did to get around this is:



          Inside your sshd_config file:



          Match group sftpusers
          ChrootDirectory %h


          Inside your /etc/groups file, add your sftp user to the sftpusers group (create it if it doesn't exist):



          sftpusers:x:6000:user1,user2


          For the ChrootDirectory, make sure you chown the directory to the following (warning be-careful of the directory that you are running this command on, make sure it is being run only on the directory that the user logs into, the -R commend means recursive, so if there are subfolder you do not wish this to command to include, remove it. Also a SFTP user should never be given access to a root level system directory like /etc, best to make a folder under something like /usr/local/alcatraz and give them access to that):



          chown -R root:sftpusers userChrootDirectory


          Chmod the directory to have the permission you desire, something like:



          drwxrws---


          If you require more information, let me know, this is just the highlights, that should get you to where you want to be.






          share|improve this answer























          • For openssh this method (adding group write permissions to the chroot directory) will not work. Quoted from the openssh (at least version 7.2) sshd_config(5) man page: "At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group."

            – Juan
            Nov 28 '17 at 21:12















          0














          I ran into the same problem with my in-house SFTP. What I did to get around this is:



          Inside your sshd_config file:



          Match group sftpusers
          ChrootDirectory %h


          Inside your /etc/groups file, add your sftp user to the sftpusers group (create it if it doesn't exist):



          sftpusers:x:6000:user1,user2


          For the ChrootDirectory, make sure you chown the directory to the following (warning be-careful of the directory that you are running this command on, make sure it is being run only on the directory that the user logs into, the -R commend means recursive, so if there are subfolder you do not wish this to command to include, remove it. Also a SFTP user should never be given access to a root level system directory like /etc, best to make a folder under something like /usr/local/alcatraz and give them access to that):



          chown -R root:sftpusers userChrootDirectory


          Chmod the directory to have the permission you desire, something like:



          drwxrws---


          If you require more information, let me know, this is just the highlights, that should get you to where you want to be.






          share|improve this answer























          • For openssh this method (adding group write permissions to the chroot directory) will not work. Quoted from the openssh (at least version 7.2) sshd_config(5) man page: "At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group."

            – Juan
            Nov 28 '17 at 21:12













          0












          0








          0







          I ran into the same problem with my in-house SFTP. What I did to get around this is:



          Inside your sshd_config file:



          Match group sftpusers
          ChrootDirectory %h


          Inside your /etc/groups file, add your sftp user to the sftpusers group (create it if it doesn't exist):



          sftpusers:x:6000:user1,user2


          For the ChrootDirectory, make sure you chown the directory to the following (warning be-careful of the directory that you are running this command on, make sure it is being run only on the directory that the user logs into, the -R commend means recursive, so if there are subfolder you do not wish this to command to include, remove it. Also a SFTP user should never be given access to a root level system directory like /etc, best to make a folder under something like /usr/local/alcatraz and give them access to that):



          chown -R root:sftpusers userChrootDirectory


          Chmod the directory to have the permission you desire, something like:



          drwxrws---


          If you require more information, let me know, this is just the highlights, that should get you to where you want to be.






          share|improve this answer













          I ran into the same problem with my in-house SFTP. What I did to get around this is:



          Inside your sshd_config file:



          Match group sftpusers
          ChrootDirectory %h


          Inside your /etc/groups file, add your sftp user to the sftpusers group (create it if it doesn't exist):



          sftpusers:x:6000:user1,user2


          For the ChrootDirectory, make sure you chown the directory to the following (warning be-careful of the directory that you are running this command on, make sure it is being run only on the directory that the user logs into, the -R commend means recursive, so if there are subfolder you do not wish this to command to include, remove it. Also a SFTP user should never be given access to a root level system directory like /etc, best to make a folder under something like /usr/local/alcatraz and give them access to that):



          chown -R root:sftpusers userChrootDirectory


          Chmod the directory to have the permission you desire, something like:



          drwxrws---


          If you require more information, let me know, this is just the highlights, that should get you to where you want to be.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Dec 25 '15 at 22:01









          devnulldevnull

          3,8991129




          3,8991129












          • For openssh this method (adding group write permissions to the chroot directory) will not work. Quoted from the openssh (at least version 7.2) sshd_config(5) man page: "At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group."

            – Juan
            Nov 28 '17 at 21:12

















          • For openssh this method (adding group write permissions to the chroot directory) will not work. Quoted from the openssh (at least version 7.2) sshd_config(5) man page: "At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group."

            – Juan
            Nov 28 '17 at 21:12
















          For openssh this method (adding group write permissions to the chroot directory) will not work. Quoted from the openssh (at least version 7.2) sshd_config(5) man page: "At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group."

          – Juan
          Nov 28 '17 at 21:12





          For openssh this method (adding group write permissions to the chroot directory) will not work. Quoted from the openssh (at least version 7.2) sshd_config(5) man page: "At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group."

          – Juan
          Nov 28 '17 at 21:12

















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Unix & Linux Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f60859%2fmaking-chrootdirectory-directory-writable-by-sftp-user%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown






          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?