Making ChrootDirectory directory writable by SFTP user
Clash Royale CLAN TAG#URR8PPP
If a user logs into a machine via SFTP, one can make use of ChrootDirectory keyword to give an illusion that user is in a root directory. But that directory is only writable by root user. I would love for this user to have such write capabilities, and it doesn't appear that OpenSSH offers this, unless I missed something?
I am aware that that SFTP user can be given write access to any file/directory inside that ChrootDirectory, but it's not good enough. I want the user to also create/delete the files directly under that "root" directory, without the workaround of creating a subdirectory that that user has write access to.
ssh sftp openssh
asked Jan 10 '13 at 8:16
TshepangTshepang
26.3k72186264
add a comment |
If a user logs into a machine via SFTP, one can make use of ChrootDirectory keyword to give an illusion that user is in a root directory. But that directory is only writable by root user. I would love for this user to have such write capabilities, and it doesn't appear that OpenSSH offers this, unless I missed something?
I am aware that that SFTP user can be given write access to any file/directory inside that ChrootDirectory, but it's not good enough. I want the user to also create/delete the files directly under that "root" directory, without the workaround of creating a subdirectory that that user has write access to.
ssh sftp openssh
asked Jan 10 '13 at 8:16
TshepangTshepang
26.3k72186264
add a comment |
If a user logs into a machine via SFTP, one can make use of ChrootDirectory keyword to give an illusion that user is in a root directory. But that directory is only writable by root user. I would love for this user to have such write capabilities, and it doesn't appear that OpenSSH offers this, unless I missed something?
I am aware that that SFTP user can be given write access to any file/directory inside that ChrootDirectory, but it's not good enough. I want the user to also create/delete the files directly under that "root" directory, without the workaround of creating a subdirectory that that user has write access to.
ssh sftp openssh
asked Jan 10 '13 at 8:16
TshepangTshepang
26.3k72186264
If a user logs into a machine via SFTP, one can make use of ChrootDirectory keyword to give an illusion that user is in a root directory. But that directory is only writable by root user. I would love for this user to have such write capabilities, and it doesn't appear that OpenSSH offers this, unless I missed something?
I am aware that that SFTP user can be given write access to any file/directory inside that ChrootDirectory, but it's not good enough. I want the user to also create/delete the files directly under that "root" directory, without the workaround of creating a subdirectory that that user has write access to.
ssh sftp openssh
ssh sftp openssh
asked Jan 10 '13 at 8:16
TshepangTshepang
26.3k72186264
asked Jan 10 '13 at 8:16
TshepangTshepang
26.3k72186264
edited Jan 17 '13 at 9:13
Tshepang
asked Jan 10 '13 at 8:16
TshepangTshepang
26.3k72186264
asked Jan 10 '13 at 8:16
TshepangTshepang
26.3k72186264
asked Jan 10 '13 at 8:16
TshepangTshepang
26.3k72186264
26.3k72186264
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
I ran into the same problem with my in-house SFTP. What I did to get around this is:
Inside your sshd_config file:
Match group sftpusers
ChrootDirectory %h
Inside your /etc/groups file, add your sftp user to the sftpusers group (create it if it doesn't exist):
sftpusers:x:6000:user1,user2
For the ChrootDirectory, make sure you chown the directory to the following (warning be-careful of the directory that you are running this command on, make sure it is being run only on the directory that the user logs into, the -R commend means recursive, so if there are subfolder you do not wish this to command to include, remove it. Also a SFTP user should never be given access to a root level system directory like /etc, best to make a folder under something like /usr/local/alcatraz and give them access to that):
chown -R root:sftpusers userChrootDirectory
Chmod the directory to have the permission you desire, something like:
drwxrws---
If you require more information, let me know, this is just the highlights, that should get you to where you want to be.
answered Dec 25 '15 at 22:01
devnulldevnull
3,8991129
For openssh this method (adding group write permissions to the chroot directory) will not work. Quoted from the openssh (at least version 7.2)sshd_config(5)man page: "At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group."
– Juan
Nov 28 '17 at 21:12
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f60859%2fmaking-chrootdirectory-directory-writable-by-sftp-user%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I ran into the same problem with my in-house SFTP. What I did to get around this is:
Inside your sshd_config file:
Match group sftpusers
ChrootDirectory %h
Inside your /etc/groups file, add your sftp user to the sftpusers group (create it if it doesn't exist):
sftpusers:x:6000:user1,user2
For the ChrootDirectory, make sure you chown the directory to the following (warning be-careful of the directory that you are running this command on, make sure it is being run only on the directory that the user logs into, the -R commend means recursive, so if there are subfolder you do not wish this to command to include, remove it. Also a SFTP user should never be given access to a root level system directory like /etc, best to make a folder under something like /usr/local/alcatraz and give them access to that):
chown -R root:sftpusers userChrootDirectory
Chmod the directory to have the permission you desire, something like:
drwxrws---
If you require more information, let me know, this is just the highlights, that should get you to where you want to be.
answered Dec 25 '15 at 22:01
devnulldevnull
3,8991129
For openssh this method (adding group write permissions to the chroot directory) will not work. Quoted from the openssh (at least version 7.2)sshd_config(5)man page: "At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group."
– Juan
Nov 28 '17 at 21:12
add a comment |
I ran into the same problem with my in-house SFTP. What I did to get around this is:
Inside your sshd_config file:
Match group sftpusers
ChrootDirectory %h
Inside your /etc/groups file, add your sftp user to the sftpusers group (create it if it doesn't exist):
sftpusers:x:6000:user1,user2
For the ChrootDirectory, make sure you chown the directory to the following (warning be-careful of the directory that you are running this command on, make sure it is being run only on the directory that the user logs into, the -R commend means recursive, so if there are subfolder you do not wish this to command to include, remove it. Also a SFTP user should never be given access to a root level system directory like /etc, best to make a folder under something like /usr/local/alcatraz and give them access to that):
chown -R root:sftpusers userChrootDirectory
Chmod the directory to have the permission you desire, something like:
drwxrws---
If you require more information, let me know, this is just the highlights, that should get you to where you want to be.
answered Dec 25 '15 at 22:01
devnulldevnull
3,8991129
For openssh this method (adding group write permissions to the chroot directory) will not work. Quoted from the openssh (at least version 7.2)sshd_config(5)man page: "At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group."
– Juan
Nov 28 '17 at 21:12
add a comment |
I ran into the same problem with my in-house SFTP. What I did to get around this is:
Inside your sshd_config file:
Match group sftpusers
ChrootDirectory %h
Inside your /etc/groups file, add your sftp user to the sftpusers group (create it if it doesn't exist):
sftpusers:x:6000:user1,user2
For the ChrootDirectory, make sure you chown the directory to the following (warning be-careful of the directory that you are running this command on, make sure it is being run only on the directory that the user logs into, the -R commend means recursive, so if there are subfolder you do not wish this to command to include, remove it. Also a SFTP user should never be given access to a root level system directory like /etc, best to make a folder under something like /usr/local/alcatraz and give them access to that):
chown -R root:sftpusers userChrootDirectory
Chmod the directory to have the permission you desire, something like:
drwxrws---
If you require more information, let me know, this is just the highlights, that should get you to where you want to be.
answered Dec 25 '15 at 22:01
devnulldevnull
3,8991129
I ran into the same problem with my in-house SFTP. What I did to get around this is:
Inside your sshd_config file:
Match group sftpusers
ChrootDirectory %h
Inside your /etc/groups file, add your sftp user to the sftpusers group (create it if it doesn't exist):
sftpusers:x:6000:user1,user2
For the ChrootDirectory, make sure you chown the directory to the following (warning be-careful of the directory that you are running this command on, make sure it is being run only on the directory that the user logs into, the -R commend means recursive, so if there are subfolder you do not wish this to command to include, remove it. Also a SFTP user should never be given access to a root level system directory like /etc, best to make a folder under something like /usr/local/alcatraz and give them access to that):
chown -R root:sftpusers userChrootDirectory
Chmod the directory to have the permission you desire, something like:
drwxrws---
If you require more information, let me know, this is just the highlights, that should get you to where you want to be.
answered Dec 25 '15 at 22:01
devnulldevnull
3,8991129
answered Dec 25 '15 at 22:01
devnulldevnull
3,8991129
answered Dec 25 '15 at 22:01
devnulldevnull
3,8991129
answered Dec 25 '15 at 22:01
devnulldevnull
3,8991129
3,8991129
For openssh this method (adding group write permissions to the chroot directory) will not work. Quoted from the openssh (at least version 7.2)sshd_config(5)man page: "At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group."
– Juan
Nov 28 '17 at 21:12
add a comment |
For openssh this method (adding group write permissions to the chroot directory) will not work. Quoted from the openssh (at least version 7.2)sshd_config(5)man page: "At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group."
– Juan
Nov 28 '17 at 21:12
For openssh this method (adding group write permissions to the chroot directory) will not work. Quoted from the openssh (at least version 7.2)
sshd_config(5) man page: "At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group."– Juan
Nov 28 '17 at 21:12
For openssh this method (adding group write permissions to the chroot directory) will not work. Quoted from the openssh (at least version 7.2)
sshd_config(5) man page: "At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group."– Juan
Nov 28 '17 at 21:12
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f60859%2fmaking-chrootdirectory-directory-writable-by-sftp-user%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
