AIX 6.1 SFTP: Allow chroot'd user to access files in location outside their home
Long-winded first posting, I have tried to be succint while providing details.
I am working on an AIX 6.1 server where SFTP (via WinSCP) is already used by several service accounts to access files in many subdirectories of /app/data.
I've been asked to set up an SFTP user account to allow access to two of the subdirectories, /app/data/bills & /app/data/invoices, but it must not be able to access the other subdirectories or anywhere else on the server. I am not allowed to change any owner, group or permissions within the /app directory branch.
Following this link - Configure an sftp chroot environment - I have successfully created an account with home directory of /sftpjail/sftpuser and have confirmed a) it cannot log on via other methods (SSH, console) and b) it can connect via WinSCP and can only see the contents of its home directory.
- My
/etc/ssh/sshd_configsection is as follows:
Match Group sftpgrp
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
PermitTunnel no
X11Forwarding no
The directories and files under the
/app/databranch are all owned byappsuserand in the groupappsgroupand the permissions are 775 (ug=rwx,o=rx).The sftpuser account is also a member of the
appsgroupgroup.
I have created symbolic links to /app/data/bills in the user's home directory, I presume this doesn't work because the link is a path to a directory outside of the chroot.
I have tried mounting the /app/data/bills directory onto a mountpoint within the users's home:
cd /sftpjail/sftpuser
mkdir bills
mount /app/data/bills bills
... this latter approach had some interesting results:
I could connect via WinSCP and see the
billsdirectory, if I double-clicked it then I would be given an error dialogue and, when cleared, I would be "in" the directory but unable to see any content.If I used
sftp sftpuser@localhostfrom the AIX server, it would let me navigate into thebillsdirectory without a problem but anlsof the content would give theremote readdir("/bills"): Failuremessage.
I was able to further navigate into the/bills/2019and/bills/2019/09subdirectories, each time anlsproduced the same error.
However, it gets really interesting when Iputa temporary file into/bills, not only did it successfully upload the file but after doing so it would allowlsto work. As soon as I deleted the temporary file it want back to erroring,putthe file back andlsworks again.
Question 1: Should it be possible to access directories that are outside of a chroot home and, if so, how?
Question 2: Is there another way to achieve the required result? One that does not involve installing third-party software.
I appreciate your patience if you have read this far.
Solution 1:
Symlinks are essentially just pointers to another file, but you can't point to something outside the chroot because it would be looking for a file with that name which doesn't exist inside the chroot.
You could use mount with bind to remount the directories you need in
the jail.
For example:
# mount --bind /bin /chroot/bin
# mount --bind /lib /chroot/lib
# chroot /chroot
If you wish to place it in /etc/fstab, the same example would look like:
/bin /chroot/bin none bind
/lib /chroot/lib none bind