Changing write permissions for jailed SFTP denies login

permissions sftp chroot

I have scouted over many websites and forums on how to setup an SFTP user that is jailed to a certain directory using CHROOT. Here are the steps I have followed but I can't seem to get write permissions to work.

Setup

sshd_config

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp


Match group webmaster
        X11Forwarding no
        ChrootDirectory %h
        AllowTcpForwarding no
        ForceCommand internal-sftp

Create Folder

mkdir /var/www/sites

Create User and Group

useradd uploader
passwd uploader
usermod -d /var/www/sites uploader
groupadd webmaster uploader
groupadd www-data uploader

Permissions and Ownership

chown root:root /var/www
chmod 755 /var/www/sites

Now with these settings the user uploader is able to SFTP into the home directory but is unable to write to the directory.

There are 2 typical errors that occur, I either can't login or I don't have write permissions.

Login Error

Error:    Network error: Software caused connection abort
Error:    Could not connect to server


Changing permissions of /var/www/sites to 775 or 777 causes login error.
chown /var/www/sites to uploader:root causes login error.
chwon root:webmaster or root:www-data I have no write permissions

I am at odds end trying to figure this out and if anyone could point me into the right direction I would be greatly appreciate it.

Thank you.


Solution 1:

Found out the solution. The user is jailed to /var/www/sites. I then created another folder /var/www/sites/site1.

I use:

chown root:webmaster /var/www/sites/site1 
chmod 775 /var/www/sites/site1

This enabled the home directory to have the correct permissions to login and then be able to write to the next folder up.

If the user needs write access to /var/www/sites, then you must jail the user at /var/www which has root:root ownership and permissions of 755. You then need to give /var/www/sites ownership of root:(your group) and permissions of 775.

Solution 2:

Maybe the greatest solution is:

mkdir /var/www/sites/myfirstuser/hisownsite
mkdir /var/www/sites/myseconduser/hisownsite

...

chown root:root /var/www/sites /var/www/sites/{myfirstuser,myseconduser} && chmod 755 /var/www/sites/{myfirstuser,myseconduser}

chmod 775 /var/www/sites/myfirstuser/hisownsite
chmod 775 /var/www/sites/myseconduser/hisownsite
chgrp www-data /www/sites/myfirstuser/hisownsite /var/www/sites/myseconduser/hisownsite

Add the users:

useradd -d /var/www/sites/myfirstuser -s /bin/false -g www-data  dev1
useradd -d /var/www/sites/myseconduser -s /bin/false -g www-data dev2
passwd dev1
passwd dev2

Then, for each user you have created, add an ssh tag like this: (you could also use the "Match Group" directive as in your example instead of "Match User")

Match User dev1
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTcpForwarding no

Match user dev2
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTcpForwarding no

So you can manage all users you need in a chrooted environment.

Hth, Fabrizio

Related

how to resume download in wget which is integrated with firefox via flashgot
How can connect server using .ppk key file
What is the terminal command to show desktop? [duplicate]
what is the right way to downgrade kernel
Adding custom path by updating ~/.profile with not working
How to install emacs 24.4 on Ubuntu?
How to connect to smb://...?
Changing screenshot directory in Ubuntu 21.10
how define custom shortcut in ubuntu to change keyboard layout [duplicate]
Drive designations changing every reboot when no hardware is changed [duplicate]
How to run a command within a previously opened terminal with gnome-terminal command in a shell script?
Bluetooth not working often in 20.04