Skip to main content

Thread: Restrict SFTP access to specific directory

-

hi. i'll start off saying, need os x server. apple discussions forum unlikely kind of thing, , openssh same, i'm posting here.

i'm trying setup few user accounts restricted sftp access. i've read chrootdirectory option in sshd_config, trouble is, requires chosen directory owned root , non-writable others. way filesystem organized, that's not practical. directory i'd chroot (called cdrips) on hard drive not owned root. looks this:
code:
$ pwd  /volumes/raid1  $ ls  total 32  drwxrwxr-x    9 server        staff    374 may  5 14:21 ./  drwxrwxrwt@   6 root          admin    204 may  8 23:10 ../  drwxrwxr-x+ 424 radiosharing  staff  14416 may  8 16:21 cdrips/  ...
also, cdrips needs writable other users. i've read, seems chroot not right thing here, don't know else do. advice appreciated.
thanks.

in linux, can around mount --bind. osx, you'll need utility can read @ http://sizzo.org/wp/2008/12/mount-bind-on-osx

careful this. mount bind *not* link, if try , rm -rf on you'll removing original files. need umount first.

here complete procedure creating "radio" sftp user on linux example. "$" indicates prompt (type rest; not $ sign!). # indicates comment follows: don't have type bits. adjust macos see fit:
code:
$ sudo adduser radio # create user called "radio"
have following in /etc/ssh/sshd_config
code:
subsystem sftp internal-sftp    match group sftp           chrootdirectory %h           forcecommand internal-sftp           allowtcpforwarding no
then commands are:
code:
$ sudo adduser radio sftp # add radio sftp group $ sudo usermod -s /bin/false radio # don't allow them shell  $ sudo rm /home/radio/.bash* # don't need these files $ sudo rm /home/radio/.profile  $ sudo chown root:root /home/radio # made root chroot works $ sudo chmod 0755 /home/radio # make sure permissions correct  $ sudo mkdir /home/radio/cdrips # make cdrips dir them save $ sudo chown radio:radio /home/radio/cdrips # that's owned them
at point have normal chrooted sftp setup, "cdrips" dir can upload to.

now, bind our "cdrips" dir 1 want give access :
code:
$ sudo mount --bind /volumes/raid1/cdrips /home/radio/cdrips
so though /volumes/raid1 isn't owned root, chroot still work. dir names don't matter: have called /home/radio/cdrips if wanted. or indeed, @ all...


Forum The Ubuntu Forum Community Ubuntu Specialised Support Security Restrict SFTP access to specific directory


Ubuntu

Comments

Post a Comment

Popular posts from this blog

Adobe Acrobat Pro , Terminal Server Use

-
hello,   a fellow employee requires adobe acrobat pro installed use, , management me have sorted out. employee uses thin client connect terminal server of administration work.   i require single license adobe acrobat pro used single user.   will there license issues installing adobe acrobat pro on terminal server?   can install adobe acrobat pro on terminal server?   thanks, david hi david,   yes, can install acrobat terminal servers... !   the licensing terminal server considered normal licensing process, means need buy many number of licenses acrobat number of users accessing terminal server (like citrix) access software. eg if 10 users accessing citrix server @ particular time use acrobat software need 10 licenses same. More discussions in Installing, Updating, & Subscribing to Acrobat adobe
Read more

Thread: transmission-daemon isn't playing nice: "409: Conflict"

-
409: conflict request had invalid session-id header. fix this, follow these steps: when reading response, x-transmission-session-id header , remember it add updated header outgoing requests when 409 error message, resend request updated header requirement has been added prevent csrf attacks. error occurs when apache not running. i've tried zillion different proposed solutions involving rewriterules , proxypasses golly i'm clueless. me? following apache thing, y'know, in case. code: <virtualhost *:80> rewriteengine on documentroot /var/www <directory /> options followsymlinks allowoverride none </directory> <directory /var/www/> options indexes followsymlinks multiviews allowoverride none order allow,deny allow </directory> scriptalias /cgi-bin/ /usr/lib/cgi-bin/ <directory "/usr/lib/cgi-bin"> allowov...
Read more

Thread: gpg: Conflicting Commands

-
Image
hi, relatively new linux (have used many live disks) , have had install of ubuntu 12.04 few days now. part have found easy use , have been comfortable it. have first question can't resolve myself: adding googles repository list. when first ran command supplied google found did not have wget installed. used apt-get install it. worked fine (as far can tell) re-ran googles code : wget -q https://dl-ssl.google.com/linux/linux_signing_key.pub -o- | sudo apt-key add -deb http://dl.google.com/linux/deb/ stable non-free , message 'gpg: conflicting commands' tell me going wrong , how fix please new script : wget -q https://dl-ssl.google.com/linux/linux_signing_key.pub -o- | sudo apt-key add linux_signing_key.pub need edit /etc/apt/sources.list , add line @ end deb http://dl.google.com/linux/deb/ stable non-free end hope find usefull edit: need root or use sudo make changes /etc/apt/sour...
Read more