bad ownership or modes for chroot directory component
I created the user MY_USER. Set his home dir to /var/www/RESTRICTED_DIR, which is the path he should be restricted to. Then I edited sshd_config and set:
Match user MY_USER
ChrootDirectory /var/www/RESTRICTED_DIR
Then I restarted ssh. Made MY_USER owner (and group owner) of RESTRICTED_DIR, and chmodded it to 755. I get
Accepted password for MY_USER
session opened for user MY_USER by (uid=0)
fatal: bad ownership or modes for chroot directory component "/var/www/RESTRICTED_DIR"
pam_unix(sshd:session): session closed for user MY_USER
If I removed the 2 lines from sshd_config the user can login successfully. Of course it can access all the server though. What's the problem? I even tried to chown RESTRICTED_DIR to root (as I read somewhere that someone solved this same problem doing it). No luck..
Solution 1:
From the man
page:
ChrootDirectory
Specifies the pathname of a directory to chroot(2) to after authentication. All components of the pathname must be root-owned directories that are not writable by any other user or group. After the chroot, sshd(8) changes the working directory to the user's home directory.
My guess is one or more of the directories on the path do not meet those requirements (my suspicion is www
is owned or writable by your web user, not root).
Go back and follow the directions, ensuring that the requirements above in bold italics are met.
Solution 2:
ChrootDirectory directory must be owned by root and have 755 mode:
sudo chown root:root /var/www/RESTRICTED_DIR
sudo chmod 755 /var/www/RESTRICTED_DIR
Ok, now all files into /var/www/RESTRICTED_DIR
must be owned by MY_USER
, which must belong to www-data
group, and have 775 mode to allow group permissions, like this:
sudo usermod -a -G www-data MY_USER
sudo chown MY_USER:www-data /var/www/RESTRICTED_DIR/*
sudo chmod 775 -R /var/www/RESTRICTED_DIR/*
NOTE: Remember is a good practice allow access only to an htdocs folder if you are configuring apache.
Solution 3:
After some troubleshooting today, I realized that root must also be able to write to the directories.
The following did not work:
$ ls -ld /mnt/synology03/files/
dr-xr-xr-x 1 root root 156 Oct 8 20:10 /mnt/synology03/files/
$ ls -ld /mnt/synology03
drwxr-xr-x 7 root root 4096 Oct 1 21:26 /mnt/synology03
$ ls -ld /mnt
drwxr-xr-x 6 root root 4096 Feb 8 10:01 /mnt
$ ls -ld /
drwxr-xr-x 24 root root 4096 Jan 14 09:22 /
As soon as I fixed this, my chroot started working.
$ sudo chmod 755 /mnt/synology03/files/
$ ls -ld /mnt/synology03/files/
drwxr-xr-x 1 root root 156 Oct 8 20:10 /mnt/synology03/files/