how do I restrict an sFTP user to just their home folder?

Question

Level 1

0 points

how do I restrict an sFTP user to just their home folder?

Today I setup a user for on my Mac specifically for someone to sFTP files to my computer.

I tested the connection on another computer on the network, it worked OK but I quickly realised that after logging in via an FTP client, I could got to the root dir and start to navigate around other folders, getting to other home directories, download photos etc.. all of which I dont want the user to do.

I would like the FTP user to login, and only see their home directory, nothing else.

the root shouldnt show any files for example.

I have tried to lock things down and its a bit better, ensuring that a lot of the folders have owner only permissions, and group write only.

However there are some folders that cannot be locked down by default.

/Applications

For example, any user can read any file in that folder, even if the user is only intended to FTP files.

i have tried changing the group the user belongs to (changing it from 'Staff' to 'Nobody') but it doesnt seem to make a difference.

Hope someone can help me with this please, perhaps there is a better way. I have not used any terminal commands in what I have done, everything has been via the GUI (which I guess should be sufficient).

Posted on Aug 1, 2013 3:44 AM

Reply

Answer 1

Best reply

a brody

Level 10

83,011 points

Aug 1, 2013 5:43 AM in response to rmlloyd

http://support.apple.com/kb/PH6732- 10.6.

http://support.apple.com/kb/PH3774 - 10.7http://support.apple.com/kb/PH10669 - 10.8

Look on Google

support.apple.com Setting permissions Mac OS X 10.y

where y is your version of Mac OS X you are trying to set and you will get the article from the knowledgebase on setting permissions.

Reply

Answer 2

rmlloyd Author

Level 1

0 points

Aug 1, 2013 5:55 AM in response to a brody

thanks for the info. I know how to change permissions like that,

what I am wondering if is its possible to stop the ftp user seeing anything other than their home folder.

At the moment, when an sFTP user logs in, they see:

/Users/[USERNAME]/

it would be really nice, if they were 'shielded' from the rest of the server, so their home folder appears as root

e,g,

so just

/

instead

giving no way to get to a parent folder (other users folders, the /applications folder etc etc).

Reply

Answer 3

a brody

Level 10

83,011 points

Aug 1, 2013 8:30 AM in response to rmlloyd

If you remove "read" access for the folders you don't want attached in your sharing preferences for anybody except someone logged in locally, you should be able force it to behave that way.

Reply

Answer 4

Linc Davis

Level 10

209,547 points

Aug 1, 2013 5:51 PM in response to rmlloyd

Linux shell to restrict sftp users to their home directories? - Stack Overflow

Reply

Answer 5

rmlloyd Author

Level 1

0 points

Aug 2, 2013 2:54 AM in response to Linc Davis

Thanks Linc,

that has helped a lot.

Here is what I have done for the record:

1) opened the sshd_config file in /etc

sudo vi sshd_config

2) added the following lines to the very bottom of the file:

Match User MYUSER

# The following two directivces force klm to become chrooted

# and only have sftp available. No other chroot setup is required

ChrootDirectory /Users/MYUSER/

ForceCommand internal-sftp

# For additional paranoia, siallow all types of port forwardings

AllowTcpForwarding no

GatewayPorts no

X11Forwarding no

3) Saved the file and tried to reconnect

4) My FTP Software (on another computer on the network) wouldnt connect! I kept getting an error message:

Error: Server unexpectedly closed network conection

Error: Could not connect to server

5) I opened up the "Console" program and looked at the secure.log under /var/log and saw the following entry:

Aug 2 10:28:57 rmlloyd-imac sshd[6590]: fatal: bad ownership or modes for chroot directory component "/Users/MYUSER"

This made me realise that it was someting to do with permissions on the home folder, but I still dont quite appreciate why the user logging in doesnt have permissions to its own folder as a root.

6) Some searching on the internet yielded something like the perfect answer, that a home directory cannot be set as a chroot directory.

So I changed the ChrootDirectory to:

ChrootDirectory /Users

7) Attempt to login with sFTP again works! What I see is the root appears to be the contents of /Users

Conclusion

This is much much better than the situation I was in originally, I can set access permissions to the home directories, but the ftp user still sees them. Its not perfect but it nearly is.

I really wish I didnt have to mess around in the terminal though, as fun as it is, a check box added by apple to the user UI would do the job much easier. e.g.

"Restrict user to home folder only" - makes the home folder the root

"Restrict user to the following activities" - then have check boxes for sFTP etc...

Then the apple UI can write to the sshd_config for me 🙂.

All in all, I am very pleased and have learnt a fair bit from setting this up, so thanks to those that replied and I hope this information helps someone else one day.

Reply

Answer 6

Feb 27, 2014 8:27 AM in response to rmlloyd

Very helpful -- thanks for posting these steps.

Just one additional note, the way I implemented is it to create a subfolder inside the user's home directory so that a list of other user directories are not visible:

sudo chown root /home/user
sudo chmod go-w /home/user
sudo mkdir /home/user/access
sudo chown user /home/user/access
sudo chmod ug+rwX /home/user/access

Reply

Answer 7

nedis94

Level 1

12 points

Mar 15, 2016 11:41 AM in response to rmlloyd

I did as instructed but as soon as I add ChrootDirectory to ssdh_config connection stops working 😟 My client says: Incorrect identification: line too long. But as soon as I remove line ChrootDirectory from config file it connects just fine. But then of course all folders are accessible.

Did I do something wrong? I'm on Al Captain if this matters.

Reply