Chroot / Lock User In Dir

dave · Jan 6, 2011

I am having trouble getting chroot to work for me using the built-in ssh on FreeBSD 8.1 RELEASE. What is the simplest (most elegant) way to lock a user in a directory for editing files (i.e. a web site) without using FTP?

The error I keep getting is...

Code:

sshd[38813]: fatal: bad ownership or modes for chroot directory "/usr/local/chroot/home/testuser"

vand777 · Jan 6, 2011

In /etc/ssh/sshd_config:

Code:

...
# override default of no subsystems
#Subsystem      sftp    /usr/libexec/sftp-server
Subsystem sftp internal-sftp

Match User your_user
    ChrootDirectory /home/your_user/ftp
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp
...

Permissions:

Code:

#ls -al /home/your_user

...
drwxr-x---  3 root       your_user  512 Aug 29 22:02 ftp
...

Code:

#ls -al /home/your_user/ftp/

...
drwxrwxr-x  2 root  your_user  512 Oct 28 21:13 pub
...

Your user will have full access to /home/your_user/ftp/pub.

anomie · Jan 6, 2011

I think vand777 has already given you a thorough answer.

I'd point out that the fix is built right into the error message you're seeing. From the sshd_config(5) manpages:

Code:

ChrootDirectory
        Specifies the pathname of a directory to chroot(2) to after
        authentication.  All components of the pathname must be root-
        owned directories that are not writable by any other user or
        group...

dave · Jan 7, 2011

anomie said:
I think vand777 has already given you a thorough answer.

I'd point out that the fix is built right into the error message you're seeing. From the sshd_config(5) manpages:

Code:

ChrootDirectory Specifies the pathname of a directory to chroot(2) to after authentication. All components of the pathname must be root- owned directories that are not writable by any other user or group...

Yes, I read the man page. There are more components to this setup than the directory permissions. The most confusing part of the man page is that it does not make clear the difference between the the directory "to chroot to", the directory below it (pub in vand777's example), or if/where/how they should be specified in the config.

dave · Jan 7, 2011

vand777 said:

In /etc/ssh/sshd_config:

Code:

...
# override default of no subsystems
#Subsystem      sftp    /usr/libexec/sftp-server
Subsystem sftp internal-sftp

Match User your_user
    ChrootDirectory /home/your_user/ftp
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp
...

Permissions:

Code:

#ls -al /home/your_user

...
drwxr-x---  3 root       your_user  512 Aug 29 22:02 ftp
...

Code:

#ls -al /home/your_user/ftp/

...
drwxrwxr-x  2 root  your_user  512 Oct 28 21:13 pub
...

Your user will have full access to /home/your_user/ftp/pub.

Thanks, What shell should I use for the your_user account?

vand777 · Jan 7, 2011

dave said:
Thanks, What shell should I use for the your_user account?

nologin unless you want your user to be able to connect to your system other than via sftp.

vand777 · Jan 7, 2011

dave said:
Yes, I read the man page. There are more components to this setup than the directory permissions. The most confusing part of the man page is that it does not make clear the difference between the the directory "to chroot to", the directory below it (pub in vand777's example), or if/where/how they should be specified in the config.

Please setup directory permissions as advised in my post above and it will start working. I had exactly the same issue when first tried to chroot user.