| Author |
Message |
ktm
Joined: 11 Jul 2009
Posts: 5
|
| Posted: Sat Jul 11, 2009 4:50 pm Post subject: Jail user to a folder |
|
|
Hi, i tried to jail a user to a folder of my choice but i havea hard time with it. I use openssh, i know that from version 4.9 has a feature ChrootDirectory. I succeded to jail the user to their home directory but i want to jail to a folder of my choice, for example /home/public_html/mysite
added this to sshd_config
Code: Match group www-data1
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
then
Code: sudo chown root.root /home/www-data1
Code: sudo usermod -d / www-data1
It works fine, user www-data1 is jailed to his home folder but how do i jail user to /home/public_html/mysite ?
Thank you. |
|
| Back to top |
|
melon
Joined: 23 Mar 2008
Posts: 71
|
| Posted: Sat Jul 11, 2009 5:26 pm Post subject: |
|
|
| I usually use scponly for that feature. The package has scponly and scponlyc as shells, with scponlyc being the chrooted sftp shell. The standard debian/ubuntu package even contains a script to add a user and build the chrooted home folder into a specified directory. |
|
| Back to top |
|
dfelicia
Joined: 30 Jul 2007
Posts: 77
|
| Posted: Sat Jul 11, 2009 6:07 pm Post subject: |
|
|
I use jailkit (http://olivier.sessink.nl/jailkit/) to create shell
accounts for users. They can ssh/sftp/scp using public-key authentication. I give them bash, vim, tar, perl and other basic tools, and all of their Web files are in the jail with them. So they can do what they like with their site content, but can't touch anything on my linode.
You can jail them to any folder if you want.
Anyway, I find jailkit to be an *excellent* piece of software, and
highly recommend it. |
|
| Back to top |
|
Xan
Joined: 08 Feb 2004
Posts: 562
Location: Austin
|
| Posted: Sun Jul 12, 2009 3:10 am Post subject: |
|
|
| I second the scponly recommendation; works great for me. |
|
| Back to top |
|
melon
Joined: 23 Mar 2008
Posts: 71
|
| Posted: Sun Jul 12, 2009 3:13 am Post subject: |
|
|
| Jailkit is also great if you wish to give your users a real shell. I usually don't want to do that :) |
|
| Back to top |
|
ktm
Joined: 11 Jul 2009
Posts: 5
|
| Posted: Sun Jul 12, 2009 5:13 am Post subject: |
|
|
Hi, thanks for replies, can someone give me a short example of using jailkit/scponly to jail a user for example in folder /home/public_html/site.
I don't want to give any other "powers" to the user, I only want that the user can navigate only in the jail folder and subfolders |
|
| Back to top |
|
Xan
Joined: 08 Feb 2004
Posts: 562
Location: Austin
|
| Posted: Sun Jul 12, 2009 5:58 pm Post subject: |
|
|
I believe all that's involved is setting the user's shell from /bin/bash (or whatever) to /usr/sbin/scponlyc , and running the script to automatically configure the home directory with the necessary files and directories for minimal functionality (like /bin/ls, etc).
The scponly package is in Debian stable. |
|
| Back to top |
|
melon
Joined: 23 Mar 2008
Posts: 71
|
| Posted: Mon Jul 13, 2009 8:27 am Post subject: |
|
|
The debian/ubuntu package contains a shell script called setup_chroot.sh in the /usr/share/doc/scponly/setup_chroot folder. It creates the user, sets its shell and builds the chroot environment for scp/sftp only operation.
Before that you may have to run 'dpkg-reconfigure scponly' to set the suid bit of the scponlyc executable. |
|
| Back to top |
|
| |
