Find the answer to your Linux question:
Results 1 to 10 of 10
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    sftp server with chrooted users and one sftp admin user

    Hello All,

    I want to create an sftp server where there are several users with a chrooted directory, and one user who has access (read, write and delete) to all the directories of the other users.
    I followed a guide (can't post the link because I don't have enough posts) for a chrooted sftp server (using the ssh deamon as sftp server). This goes without a problem. Where I'm stuck is the one user who should have access to all the chrooted directories of the other users.

    I know that if I make the sftp admin user a server admin, it works without a problem. But that's security wise not a good idea.

    Does anyone knows how I can do this?

  2. #2
    hello and welcome, Jan!

    I assume you are using syntax like this in your sshd_config file:

    Match Group sftpusers
       ChrootDirectory %h
       ForceCommand internal-sftp
       AllowTcpForwarding no
    can you just leave the one power user out of the sftpusers group, and in its own group (e.g., called powerusers), and have that group be chrooted to one directory above all the others' home? e.g., assuming %h resolves to /home/username, set the power user's ChrootDirectory to /home.

    that is only part of it, though. at the filesystem level, you'd also have to grant the power user access to those user directories. you could either do this using chmod/chown, e.g.:

    chown :powerusers /home/*
    chmod 0775 /home/*
    note, you have be root to run the above command. also, those are not recursive commands - they will only affect the users' base home dirs.

    another (better) way would be to use setfacl to set the permissions.

  3. #3
    Thank you for your reply.
    However, as soon as I execture "chmod 0775 /home/*" the users can't connect anymore to the sftp server.
    Looking a bit further is because the root needs to be owner of the chrooted directory.
    As alternative I made a user which is in the "root" group, but disabled shell access. This is probably far from Ideal, but it works. (Looks like I can't chroot the root user in the home directory)
    I'll try with setfacl this weekend

  4. $spacer_open
  5. #4
    yes, quite right, i forgot about that. good call. let us know how you get on w/setfacl.

  6. #5
    I got it working with setfacl.
    However, when a user creates a new folder in his directory, the acl aren't set on it automatically.
    I'm going to solve this by creating a cron job that runs every night that sets all the rights with setfacl again. Unless someone has another (better) solution for this

    If I set any rights on the folder /home or /home/user, the users can't log in anymore (due to chroot) so I have to set the rights on /home/users/writable

  7. #6
    did you use the -R (recursive) flag when you ran the setfacl command?

  8. #7
    Yes I did,
    But it only sets the rights on the folders that exist at that moment.
    Adding new files to the folder isn't a problem, those get the correct rights, but when I add a subfolder, the rights aren't inherited from the folder above.

  9. #8
    perhaps you did not set the default permissions (the "-d" flag) when running the setfacl command? for example, this works for me:

    # set default permissions for new files/dirs
    setfacl -Rdm g:poweruser:rwX /home/user/
    # set permissions on existing files/dirs
    setfacl -Rm g:poweruser:rwX /home/user/

  10. #9
    I didn't add the -d flag.
    I did now and works fine.

    Thanks for all your help

  11. #10
    Quote Originally Posted by JanR View Post
    I didn't add the -d flag.
    a recent discovery for me, too! glad it's all sorted.

    marking as Solved. You can do this to your own threads as well using the Thread Tools link at the top of the page.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts