AndrewCologne

Q: How to set SSH user-permissions only to specific folders?

Hi,

 

I'm aware of how enabling sFTP support in Lion Server by enabling SSH access in the Hardware settings.

 

Now, if I do log in using sFTP in Transmit client Software with a normal user account who should be able to access via SSH but got only permissions for the "Public" folder on the Server, that user via SSH/sFTP can see/access the root Directory of the server anyway!

 

Any hints how to set specific folder permissions to users using the enabled SSH/sFTP option?

 

Thanks in advance!

Andrew

Mac mini, Mac OS X (10.7.3), Mac Mini late 2007 - 2GB RAM - 2Ghz

Posted on Mar 17, 2012 4:01 AM

Close

Q: How to set SSH user-permissions only to specific folders?

  • All replies
  • Helpful answers

  • by Camelot,

    Camelot Camelot Mar 17, 2012 2:00 PM in response to AndrewCologne
    Level 8 (47,243 points)
    Mac OS X
    Mar 17, 2012 2:00 PM in response to AndrewCologne

    This has been covered many times before. Search for SFTP chroot for specific pointers.

     

    By default, any SSH user can access any file/directory they have permissions for. To lock them to a specific directory you need chroot. Note that if you want them to login with a shell, rather than just SFTP, that's a significantly more complex setup.

  • by AndrewCologne,

    AndrewCologne AndrewCologne Mar 18, 2012 11:12 AM in response to Camelot
    Level 1 (0 points)
    Mar 18, 2012 11:12 AM in response to Camelot

    Thanks, I didn't know that this is called "chroot". But I figured it out last night.

    Many different Tut's and approaches I found in the www but finally I did the mix which gave me a success and Ill post it here for others if needed:

     

     

    In my case I wanted the sFTP folder to be stored at

     

    Macintosh HD/sftp

     

    means the whole path in root/shell will be:

     

    /Volumes/Macintosh HD/sftp

     

    so heres the approach:

     

     

    First do create the folder

     

    sudo mkdir "/Volumes/Macintosh HD/sftp"

     

    Basic rule: Every folder in the path, up to and including "sftp" hast to be owned by root,

    and only writable by root! That will be archived as followed:

     

    sudo chmod g-w /

    sudo chmod g-w /Volumes

    sudo chmod g-w "/Volumes/Macintosh HD/"

    sudo chown root "/Volumes/Macintosh HD/"

     

    Now, I wanted the sftp folder to be accessed by the group "sftpusers" only.

    So as told above the sftp folder also hast to be owned by root and only! writable by root,

    means the group "ftpusers" has to be set to readlonly also! (otherwise later the login will fail):

     

    sudo chown root:sftpusers "/Volumes/Macintosh HD/sftp"

    sudo chmod 750 "/Volumes/Macintosh HD/sftp"

     

    As final step you enter /etc/ on the servers root directoy an make a copy of the file "sshd_config"

     

    sudo cp /etc/sshd_config /etc/sshd_config.bkup

     

    Do edit the sshd_config as followed

     

    Comment out the line

    Subsystem       sftp    /usr/libexec/sftp-server


    and add instead

    Subsystem sftp internal-sftp

     

    and finally add at the end:

     

    Match Group sftpusers

         ChrootDirectory /sftp

         ForceCommand internal-sftp

         AllowTcpForwarding no

     

    by this the group "sftpusers" will be directed to the folder "sftp" when logging in.

     

     


    Thats all!

     

    Note: As the "sftp" folder is readonly you can easely create subfolders where you can provide individual read/write permissions for all members.

  • by CKirk.,

    CKirk. CKirk. Feb 2, 2015 9:23 AM in response to AndrewCologne
    Level 1 (0 points)
    Feb 2, 2015 9:23 AM in response to AndrewCologne

    Is there a way to make this whole setup for only one specific user instead of a group? It would be nice if this user could be a "sharing only" user since I don't want the user to have a full user profile. I did complete all of your instructions, and everything worked fine, but I would really prefer that there would not be any groups on my computer. Thanks!