In an environment where you have multiple developers working on different sites, or perhaps you have multiple clients hosting their websites on your solution, restricting access for those users can become important.
Security becomes a concern in a normal FTP environment as it doesn’t take much for a user to simply ‘cd ..’ and see what other users are on your server. We want a way to simply lock those users only into their home directories so they cannot essentially ‘break out’.
It is important to consider how you are going to give those chrooted SFTP users access to their directories. In a chroot, simply using a symlink will not work as the filesystem will have no knowledge of the data outside that chroot. Therefore you would have to consider either:
1. Chrooting the user to their web sites home directory
2. Chrooting the user to their home directory, then create a bind mount to their website.
Both have their pro’s and con’s, however it could be argued that chrooting them to their home directory and using bind mounts is more secure since its offers an added layer of security since you are not relying solely on permissions, but also on the chroot itself. For the purposes of this article, we are going to default to chrooting users to their home directory, then creating a bind mount to their website.
To get started, first, create the restrict SFTP-only group
[root@web01 ~]# groupadd sftponly
Next, edit the sshd config to setup the internal-sftp subsystem. You will need to comment out the first entry as shown below:
[root@web01 ~]# vim /etc/ssh/sshd_config ... # Subsystem sftp /usr/libexec/openssh/sftp-server Subsystem sftp internal-sftp ...
Now at the very bottom of /etc/ssh/sshd_config, setup the following block. It is important that this is created at the very end of the file:
[root@web01 ~]# vim /etc/ssh/sshd_config
...
Match Group sftponly
ChrootDirectory %h
X11Forwarding no
AllowTCPForwarding no
ForceCommand internal-sftp
...
Then restart SSHD by:
[root@web01 ~]# service sshd restart
Now that the foundation is complete, we can add chrooted SFTP-only users. You will notice I will set the home directory to /home/chroot/bob. This is optional, but I prefer it so you can quickly tell the difference between regular users and SFTP-only users. To create a new user called bob with the proper group assignments and permissions:
[root@web01 ~]# mkdir -p /home/chroot [root@web01 ~]# useradd -d /home/chroot/bob -s /bin/false -G sftponly bob [root@web01 ~]# passwd bob [root@web01 ~]# chmod 755 /home/chroot/bob [root@web01 ~]# chown root:root /home/chroot/bob
Users will not be able to write any data within their home directory since the home directory MUST be owned by root. If they want to be able to write files, create them a writable directory by:
[root@web01 ~]# mkdir /home/chroot/bob/files [root@web01 ~]# chown bob:bob /home/chroot/bob/files
Now to allow them to access their content in /var/www/vhosts/domain.com, you need to create a bind mount:
[root@web01 ~]# vim /etc/fstab ... /var/www/vhosts/domain.com /home/chroot/bob/domain.com none bind 0 0 ...
Finally, create the placeholder folder, and mount the bind mount:
[root@web01 ~]# mkdir /home/chroot/bob/domain.com [root@web01 ~]# mount -a
Confirm user bob is setup in the right group, and that the root directory ‘/home/chroot/bob/domain.com has group writable perms. In my specific example, as the directory has the ownership apache:apache, I had to do the following:
[root@web01 ~]# usermod -a -G apache bob [root@web01 ~]# chmod 775 /var/www/vhosts/domain.com