# jail a user to $home using sftp? or better use opensslcrypt?

## SoylentGreen

topic says it all?

works fine using proftpd and many other ftp servers, but how do i get this done using sftp   :Shocked: 

or is "opensslcrypt" a way in proftpd? i never heard of that sofar.. do windows ftp clients support this at all   :Shocked: 

----------

## xerxes2695

You might want to check out rbash.  You could just change their login shell to it and then it would presist across anything that relies on user accounts.  I'm pretty sure this effectively jails them.

----------

## humbletech99

I am setting up an sftp server but want each user account chrooted to it's own jail. I have followed http://gentoo-wiki.com/HOWTO_SFTP_Server_%28chrooted%2C_without_shell%29 but am having problems getting it to work. I connect using sftp but the connection is immediately closed.

I have got allowsftp in my rssh.conf and I've also got /dev/null and /dev/log inside the jail, as well as library dependencies. I actually compiled a static openssh and static rssh to minimize the need for libraries inside the jails, so really I only have the following in my jail:

```
srw-rw-rw- 1 root root      0 Mar 26 18:49 dev/log

crw-rw-rw- 1 root root   1, 3 Mar 27 14:43 dev/null

-rw-r--r-- 1 root root     13 Mar 27 17:48 etc/group

-rw-r--r-- 1 root root     44 Mar 27 16:49 etc/passwd

-rw-r--r-- 1 root root     59 Mar 27 17:48 etc/shadow

-rwxr-xr-x 1 root root 109696 Mar 27 14:40 lib/ld-linux.so.2

-rwxr-xr-x 1 root root  22456 Mar 27 14:40 lib/libcrypt.so.1

-rwxr-xr-x 1 root root  30836 Mar 27 14:41 lib/libnss_compat.so.2

-rwxr-xr-x 1 root root 578776 Mar 27 17:03 usr/bin/sftp

usr/lib/misc:

total 1108

-rwx--x--x 1 root root 573240 Mar 27 14:38 rssh_chroot_helper

-rwxr-xr-x 1 root root 549164 Mar 27 14:39 sftp-server
```

I have also got the chroot patch on my openssh installation but am unsure how to use it. I have done the /home/user/./ trick in /etc/passwd which seems to chroot the user to their home dir but the connection is again immediately closed without giving the sftp prompt.

Any ideas?

Do you have a better way of doing a chrooted sftp server, perhaps without libraries inside the jail?

----------

## SoylentGreen

welcome to the club:

https://forums.gentoo.org/viewtopic-t-549439-highlight-.html

unfortunately your post is a dupe, though, i have not solved that problem either yet.

----------

## humbletech99

i have solved mine, finicky but I got there in the (very long) end. Quite annoying since the theory is straight forward, but the niggles are many.

----------

## humbletech99

use scponly. simple and works well.

----------

## SoylentGreen

 *humbletech99 wrote:*   

> use scponly. simple and works well.

 

just emerging that one, thx. however, is this possible for usual windows users as clients?

----------

## SoylentGreen

hmm.. i just realize it creats a user scponly, and a group.

well, my goal is haveing every user uploading stuff, every user downloading stuff, but delete oinly stuff uploaded by thereself. is this possible?

doesnt look like that to me yet..   :Shocked: 

----------

## humbletech99

of course.

the way I did it was better where every user gets their own isolated environment.

what you want is simple.

without any work, your users right now can scp stuff to your server if they have valid accounts.

if you just uncomment the subsystem sftp line in sshd config then they also have sftp right off the bat (restart obviously)

by default your users will only be able to write to their own home dir so this sorts what you've just asked for.

----------

## SoylentGreen

well, i have a directory mounted to every user (mount --bind)   :Shocked: 

would this still work?

i am able to test this in a few hours (still @work).

any hints appreciated, and thx for your support! thank you much, really. i was unsure hoe to use rbash, hmm  :Wink: 

----------

## humbletech99

yes it should still work, can I just ask why you are doing a mount bind? It is useful sometimes but I am unsure as to why you are doing it in this case.

if you are doing it to enforce space quotas then I think that limits.conf might be what you want instead.

----------

## SoylentGreen

well, i am doing this because i jail users to their $HOME. however, i have a seperate directory with data for *some* users. i mount this one using --bind to their $home,  because proftpd doesnt like symlinks (hmm.. at least last time i tried that).

anything wrong with using --bind? didnt have any problems with this sofar..

----------

## humbletech99

not that I can think of, I assume you are binding a private subdirectory of your storage partition for each user so the storage area isn't shared?

you may want to enable quotas I mentioned before as well then so one user can't fill up the storage partition.

----------

## SoylentGreen

 *humbletech99 wrote:*   

> not that I can think of, I assume you are binding a private subdirectory of your storage partition for each user so the storage area isn't shared?
> 
> 

 

yes, exactly.

 *humbletech99 wrote:*   

> 
> 
> you may want to enable quotas I mentioned before as well then so one user can't fill up the storage partition.

 

well, its just a group of family & friends, so quotas isnt an issue here. but thx for the hint!

its just that some files are public, and some are not (videos shared to my family should not be downloaded by friends, etc..).

its a dyndns $homeserver.

----------

## humbletech99

rather than have all that mounting, why don't you just make the homes on the big storage parition, might be easier for you...

----------

## SoylentGreen

 *humbletech99 wrote:*   

> rather than have all that mounting, why don't you just make the homes on the big storage parition, might be easier for you...

 

well, i am aware english is not my native language, maybe the resaon you did not get my point?

storage is not an issue, privacy is.

a) an FTP user is jailed to his $home. i simply want it that way. i do not like them "browsing" around my harddisks.

also i dislike to browse them whatever. they should "see" just the very own homefolder.

b) now i do have exceptions. i would like user A, C and F to see directory xyz.

i do *not* want user B, D and E to see this directory!

so i mount --bind directory xyz to the homedirectory of user A, C and F.

hmm, dunno if this gets clear now. i cant find a better way to explain this.

and - YES, this is working perfect for me  :Wink: 

PS: nice weekend, btw!

----------

## humbletech99

you misunderstand me, if you made /home the big disk, then each user would still be jailed to their home directory, but you would have a simpler mounted setup and no need to bind on to a dir in their home directory as their home directories would have enough space on the big disk to not need this.

just a suggestion, you don't have to do this.

----------

## SoylentGreen

 *humbletech99 wrote:*   

> you misunderstand me
> 
> 

 

no, i did not. you did. (i know this sounds silly, though..)

 *humbletech99 wrote:*   

> 
> 
> if you made /home the big disk
> 
> 

 

DiskSpace is not an issue. is my english really that bad? i already wrote storage is not an issue here.

 *humbletech99 wrote:*   

> 
> 
>  then each user would still be jailed to their home directory, but you would have a simpler mounted setup and no need to bind on to a dir in their home directory as their home directories would have enough space on the big disk to not need this.
> 
> 

 

agaaain: space is not an issue.

i like to make special directorys available to special users. thats it. simple like that.

the "mount --bind" is on the very same disk.

----------

## humbletech99

ok, I think I understand, you have directories x y and z, you bind directory those directories to multiple homes so that those users can share the directories easily, not have separate directories for every user, right?

ok, well I hope you got your chrooting sftp ok.

----------

