User profile for user: sbattey
sbattey Author
User level: Level 1
0 points

SFTP chroot jail help

Hello, I am new to lion server and am hoping to move from a self compiled apache/php/mysql setup to lion server so that I can have a multiuser setup. (As it stands, I have to upload all files and then move them to the /library/webserver/documents/sitename directory and then chmod and chown them to _www user in order for php scripts to modify the files.)


I would like to just configure the websites to the /home/USERNAME/sites directory and have users connect to the server via SFTP so they can upload files without having to chown them. To do this I need to setup chroot jails but I am unfamiliar with the process.


Another issue I'm having is I am unsure if this setup will even work as I want it to. Please help.


Any tips are appreciated!

Lion Server-OTHER, Mac OS X (10.7.3)

Posted on Feb 26, 2012 1:24 PM

Reply
5 replies
User profile for user: TiGPS
TiGPS
User level: Level 1
13 points

Apr 10, 2012 10:17 AM in response to Camelot

Once you mention chroot in its config a user cannot login anymore. ssh or sftp. Log entry is:

sshd[17443]: fatal: bad ownership or modes for chroot directory component "/"


I checked it and permissions are correct: root owned, not writable by any other user down to the user's homedir which is custom not under /Users.


I hate it when Apple messes around with a perfectly good UNIX system. Stupid.

Reply
User profile for user: Camelot
Camelot
User level: Level 9
58,881 points

Feb 26, 2012 7:56 PM in response to sbattey

First off, why do you think the built-in version is going to work any differently as far as 'multiuser' is concerned.


The ability to server user content from the home directories is just a facet of the userdir module, which is part of the standard Apache distribution - in other words, it should just be a simple switch in httpd.conf to turn it on in your existing version.


That's not to say there are no reasons to use the built-in, just that it shouldn't be a pre-requisite for your other request. Indeed, there are valid reasons to stick with your own version - you're not tied to Apple's software update cycle, for example, to deploy newer versions of Apache or PHP.


In either case, your SFTP issue is simply a matter of editing /etc/sshd_config. If you want these users to only use SFTP then it's pretty trivial - much easier than allowing them full SSH access restricted to their home directory.


To restrict a set of users to chrooted SFTP-only just add the following to /etc/sshd_config


Match Group sftpusers

ChrootDirectory %h

ForceCommand internal-sftp

AllowTcpForwarding no

Then add a group called 'sftpusers' to your directory and add the relevant users to that group (of, alternatively, specify an existing group name if you have one)

Note that this will prevent those users from logging in with a regular SSH connection, since they're forced to use SFTP.

The 'ChrootDirectory %h' statement locks them to their home directory, and TCP Forwarding is disabled (to prevent the users from opening tunneled ports once connected.

Reply
User profile for user: Kurt Tappe
Kurt Tappe
User level: Level 2
180 points

Apr 12, 2012 11:52 AM in response to Camelot

Is it possible to set a different directory than %h with ChrootDirectory? When I try, all I get for any attempt to connect is:


ssh_exchange_identification: Connection closed by remote host


I don't want users to FTP to their home directory; I want to chroot their files into a central FTP directory I've created. But I can't get ftpd to allow that. Any thoughts?

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

SFTP chroot jail help

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up