Koozali.org: home of the SME Server

How to restrict SFTP users to home folder

Offline confiarus

  • **
  • 26
  • +0/-0
How to restrict SFTP users to home folder
« on: September 22, 2009, 08:58:47 PM »
I'm running SME 7.4.  I've enabled RSSH to allow users to use SFTP to access their user folders using WinSCP.  This works great, however, the users are able to traverse to the root and to the ibays.  As well, I've set the "chroot" to the user's "home" folder in the user's remote setup.

Is there a way to restrict, or, "jail" users into their own "home" folder while logged into the server?  I've read other posts on this subject, but, haven't seen any solutions.  Any help would be greatly appreciated.

Offline Stefano

  • *
  • 10,894
  • +3/-0
Re: How to restrict SFTP users to home folder
« Reply #1 on: September 26, 2009, 09:34:40 PM »
hi

googling a bit I've found this page, I think you'll find it usefull

If you get it working, please share with an howto, thank you

Offline confiarus

  • **
  • 26
  • +0/-0
Re: How to restrict SFTP users to home folder
« Reply #2 on: September 27, 2009, 12:17:37 AM »
Stefano,
Thanks for the link.  I will try to see if those instructions work.  I'm a novice at Linux scripting and command line instructions, but, will give it a shot. 

Offline janet

  • *****
  • 4,812
  • +0/-0
Re: How to restrict SFTP users to home folder
« Reply #3 on: September 27, 2009, 02:03:33 AM »
confiarus

I think you want
yum install --enablerepo=smecontribs smeserver-remoteuseraccess
Then configure with server manager panel
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline confiarus

  • **
  • 26
  • +0/-0
Re: How to restrict SFTP users to home folder
« Reply #4 on: October 05, 2009, 10:38:38 PM »
Mary, thanks for the reply however, that is the first thing I did.  It will restrict each user access to another user's account, however, it does not restrict each user to have access to the root files while using their SFTP client software.

Offline Stefano

  • *
  • 10,894
  • +3/-0
Re: How to restrict SFTP users to home folder
« Reply #5 on: October 05, 2009, 10:56:01 PM »
confiarus

I think you want
yum install --enablerepo=smecontribs smeserver-remoteuseraccess
Then configure with server manager panel


this contrib will restrict users only with ftp..

IIRC in last versions of OpenSSH (5.x) there's a config directive to chroot users..

Offline confiarus

  • **
  • 26
  • +0/-0
Re: How to restrict SFTP users to home folder
« Reply #6 on: October 06, 2009, 12:46:07 AM »
Stefano, thanx for reply.   I tried upgrading OpenSSH to ver. 5 per http://help.webquarry.com/blogtest/2009/05/29/packaging-openssh-5-on-centos-47/.  However, it failed at: "rpmbuild -bb openssh.spec".

I also tried the link you sent me earlier. Here's what I found:

1.  I skipped to step 2 of the instruction because, when I did the yum install of remoteaccess, that installed RSSH because the rssh.conf file exists in the /etc directory.

2.  Going through step 2, I found that even though creating the new users worked, the new users did not show up in the user list in the server-manager
gui.

3.  I continued on anyway.  However, continuing on in step 3 the command  "cp -avr /etc/ld.so.cache.d/ ." failed because the file didn't exist in /etc.
At this point I stopped.

My guess is that it would not be smart to continue without all files required being where they should be.   Any ideas on this ???



Offline dmcguire

  • **
  • 32
  • +0/-0
Re: How to restrict SFTP users to home folder
« Reply #7 on: October 07, 2009, 11:19:53 AM »
Mary, thanks for the reply however, that is the first thing I did.  It will restrict each user access to another user's account, however, it does not restrict each user to have access to the root files while using their SFTP client software.

I have two users using that contrib, and while they can traverse the directory structure from WinSCP, they cannot access any files other than those they have permissions for. They cannot list the content of other users folders at all. I have not found any way to "jail" the user to their home directory though.