-
All replies
-
Helpful answers
-
Mar 17, 2012 2:00 PM in response to AndrewCologneby Camelot,This has been covered many times before. Search for SFTP chroot for specific pointers.
By default, any SSH user can access any file/directory they have permissions for. To lock them to a specific directory you need chroot. Note that if you want them to login with a shell, rather than just SFTP, that's a significantly more complex setup.
-
Mar 18, 2012 11:12 AM in response to Camelotby AndrewCologne,Thanks, I didn't know that this is called "chroot". But I figured it out last night.
Many different Tut's and approaches I found in the www but finally I did the mix which gave me a success and Ill post it here for others if needed:
In my case I wanted the sFTP folder to be stored at
Macintosh HD/sftp
means the whole path in root/shell will be:
/Volumes/Macintosh HD/sftp
so heres the approach:
First do create the folder
sudo mkdir "/Volumes/Macintosh HD/sftp"
Basic rule: Every folder in the path, up to and including "sftp" hast to be owned by root,
and only writable by root! That will be archived as followed:
sudo chmod g-w /
sudo chmod g-w /Volumes
sudo chmod g-w "/Volumes/Macintosh HD/"
sudo chown root "/Volumes/Macintosh HD/"
Now, I wanted the sftp folder to be accessed by the group "sftpusers" only.
So as told above the sftp folder also hast to be owned by root and only! writable by root,
means the group "ftpusers" has to be set to readlonly also! (otherwise later the login will fail):
sudo chown root:sftpusers "/Volumes/Macintosh HD/sftp"
sudo chmod 750 "/Volumes/Macintosh HD/sftp"
As final step you enter /etc/ on the servers root directoy an make a copy of the file "sshd_config"
sudo cp /etc/sshd_config /etc/sshd_config.bkup
Do edit the sshd_config as followed
Comment out the line
Subsystemsftp /usr/libexec/sftp-serverand add instead
Subsystem sftp internal-sftpand finally add at the end:
Match Group sftpusers
ChrootDirectory /sftp
ForceCommand internal-sftp
AllowTcpForwarding no
by this the group "sftpusers" will be directed to the folder "sftp" when logging in.
Thats all!
Note: As the "sftp" folder is readonly you can easely create subfolders where you can provide individual read/write permissions for all members.
-
Feb 2, 2015 9:23 AM in response to AndrewCologneby CKirk.,Is there a way to make this whole setup for only one specific user instead of a group? It would be nice if this user could be a "sharing only" user since I don't want the user to have a full user profile. I did complete all of your instructions, and everything worked fine, but I would really prefer that there would not be any groups on my computer. Thanks!