Hi, i tried to jail a user to a folder of my choice but i havea hard time with it. I use openssh, i know that from version 4.9 has a feature ChrootDirectory. I succeded to jail the user to their home directory but i want to jail to a folder of my choice, for example /home/public_html/mysite


added this to sshd_config

Match group www-data1
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

then

sudo chown root.root /home/www-data1

sudo usermod -d / www-data1

It works fine, user www-data1 is jailed to his home folder but how do i jail user to /home/public_html/mysite ?

Thank you.

I usually use scponly for that feature. The package has scponly and scponlyc as shells, with scponlyc being the chrooted sftp shell. The standard debian/ubuntu package even contains a script to add a user and build the chrooted home folder into a specified directory.

I use jailkit (http://olivier.sessink.nl/jailkit/) to create shell
accounts for users. They can ssh/sftp/scp using public-key authentication. I give them bash, vim, tar, perl and other basic tools, and all of their Web files are in the jail with them. So they can do what they like with their site content, but can't touch anything on my linode.

You can jail them to any folder if you want.

Anyway, I find jailkit to be an *excellent* piece of software, and
highly recommend it.

I second the scponly recommendation; works great for me.

Jailkit is also great if you wish to give your users a real shell. I usually don't want to do that

Hi, thanks for replies, can someone give me a short example of using jailkit/scponly to jail a user for example in folder /home/public_html/site.
I don't want to give any other "powers" to the user, I only want that the user can navigate only in the jail folder and subfolders

I believe all that's involved is setting the user's shell from /bin/bash (or whatever) to /usr/sbin/scponlyc , and running the script to automatically configure the home directory with the necessary files and directories for minimal functionality (like /bin/ls, etc).

The scponly package is in Debian stable.

The debian/ubuntu package contains a shell script called setup_chroot.sh in the /usr/share/doc/scponly/setup_chroot folder. It creates the user, sets its shell and builds the chroot environment for scp/sftp only operation.

Before that you may have to run 'dpkg-reconfigure scponly' to set the suid bit of the scponlyc executable.