brent saner via plug on 27 Mar 2025 15:10:09 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Problems chrooting for sftp on RedHat

On Thu, Mar 27, 2025 at 2:54 PM Mike Leone via plug <plug@lists.phillylinux.org> wrote:
I'm having a problem on a Red Hat cluster. We want the users to be able to only sftp in, and only to their own home directory. Pretty standard.

So here's the setup. We have a folder structure /sftp-area/vendor/<user>. All users are a member of a group called "FileCollector". Here's what it looks like:
<snipped out other directories>

SO first off, you mention `/sftp-area/` here. Below shows `/ftp-area`. Typo?
 


[root@PHAFTP002 /]# ls -la
total 36
drwxrwxrwx.   5 root FileCollector 4096 Jul 26  2022 ftp-area

Nope. make this 0755 or 0555, owned root:root. See sshd_config(5), `ChrootDirectory` description, first paragraph.
 
[root@PHAFTP002 ftp-area]# ls -la
total 28
drwxrwxrwx.  5 root FileCollector  4096 Jul 26  2022 .
dr-xr-xr-x. 21 root root            278 Mar 27 09:14 ..
drwx------.  2 root root          16384 Jul 25  2022 lost+found
drwxr-x--x.  6 root root           4096 Jul 25  2022 nfsinfo
drwxrwxr-x. 10 root FileCollector  4096 Mar 27 10:53 vendor
[root@PHAFTP002 ftp-area]#

Nope. `vendor` should be 0755 or 0555, root:root. (0751 or 0711 or 0551 or  0511 should work fine as well, from recollection.)
 
[root@PHAFTP002 vendor]# ls -la
total 40
drwxrwxr-x. 10 root     FileCollector 4096 Mar 27 10:53 .
drwxrwxrwx.  5 root     FileCollector 4096 Jul 26  2022 ..
drwxrwxr-x.  4 lowespro FileCollector 4096 Mar 27 11:19 lowespro

OK, so the user "lowespro" has a home directory of /ftp-area/vendor/lowespro.

[root@PHAFTP002 vendor]# cat /etc/passwd
lowespro:x:1009:1001::/ftp-area/vendor/lowespro/home:/bin/bash
[root@PHAFTP002 vendor]#

Nope. ChrootDirectory is set (per below) as /ftp-area/vendor/%u

This is a root. When user `foo` logs in, their `/` will be mapped to `/ftp-area/vendor/foo` ACTUAL.

Thus a user with a homedir of `/ftp-area/vendor/lowespro/home` is actually mapped to real path `/ftp-area/vendor/lowespro/ftp-area/vendor/lowespro/home` for homedir.

You probably don't want that.
 
And is a member of the right group:

[root@PHAFTP002 vendor]# groups lowespro
lowespro : FileCollector
[root@PHAFTP002 vendor]#

We're chrooting like this:

# override default of no subsystems
# Subsystem     sftp    /usr/libexec/openssh/sftp-server
# Subsystem      sftp    internal-sftp -d /home
subsystem       sftp    internal-sftp
Match Group FileCollector
ChrootDirectory /ftp-area/vendor/%u

So why doesn't this work?

(SNIP)
debug1: pledge: filesystem full
This is probably also something you'll want to look into if it isn't related to the botched chroot homedir mapping.
 
The log seems to indicate permissions, but I'm failing to see where:
Right here; see above: 
Mar 27 14:32:44 PHAFTP002.pha.phila.gov sshd[114622]: fatal: bad ownership or modes for chroot directory component "/ftp-area/" [postauth]
(SNIP) 
Mar 27 14:50:28 PHAFTP002.pha.phila.gov sshd[137342]: fatal: bad ownership or modes for chroot directory component "/ftp-area/" [postauth]
 
I'm missing something simple here, but what??
 
Yep. ChrootDirectory section in sshd_config(5), first paragraph for perms/ownership on all leading paths, and the homedirs for the users is probably not what you want it to be.

Based on what seems to be your desired behavior:

  1. find /ftp-area/vendor -mindepth 2 -maxdepth 2 -type d -name 'home' -exec chmod 0750 '{}' \;
  2. chmod 0551 /ftp-area{,/vendor}
  3. chown root:root /ftp-area{,/vendor{,/*}}
  4. chmod 0555 /ftp-area/vendor/*
  5. /etc/ssh/sshd_config: ChrootDirectory /ftp-area/vendor/%u
  6. restart sshd
  7. change home directory for ALL sftp-chrooted users to `/home`
should let you do what you want without changing any hierarchy.

That won't let members of `FileCollector` see or access other "chrooted homes", though. That's not going to be possible with a tokenized ChrootDirectory.
What you'd want to do INSTEAD in THAT case is (in ADDITION to steps 2, 3, 4 above):

  1. set the homedir to the nice clean system default for the chrooted sftp users to `/home/<username>` (i.e. /home/<vendor>)
  2. mkdir /ftp-area/vendor/home
  3. chown root:root /ftp-area/vendor/home
  4. chmod 0751 /ftp-area/vendor/home
  5. (make a dir for every vendor as /ftp-area/vendor/home/<vendor>)
  6. (chown <vendor>:FileCollector /ftp-area/vendor/home/<vendor>)
  7. find /ftp-area/vendor/home -mindepth 1 -maxdepth 1 -type d -exec chmod 0750 '{}' \;
  9. /etc/ssh/sshd_config: ChrootDirectory /ftp-area/vendor
  10. restart sshd
that will let any sftp-chrooted user, as long as they're in FileCollector, *access* other vendor dirs (e.g. the sftp command `cd /home/<other_vendor>/some_sub_directory` will work) but NOT list them (e.g. sftp command `ls /home` will NOT WORK).
I CANNOT stress this enough, though, that security through obscurity is not security at all, and if you need to grant cross-vendor access this should really be done with POSIX ACLs[0] instead, and selectively so.

[0] https://man7.org/linux/man-pages/man5/acl.5.html
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug