1

I would like to restrict a user (user sftp-user, group webgroup) to sftp access for the /var/www/html directory in CentOS 8. They should have read and write permissions so they can make changes to website files.

I am able to successfully jail the user to their homedir with ChrootDirectory %h but I can't quite get it to work when I change it to ChrootDirectory /var/www/html in /etc/ssh/sshd_config. The user gets this error when trying to sftp:

fatal: bad ownership or modes for chroot directory "/var/www/html"

What I did is try to use setfacl to give the group webgroup rw- permissions for /var/www/html (though not recursively, but everything inside that folder is owner by sftp-user:group).

How do I get it to work? I've seen some solutions suggest using mount, I'm not sure if that's the better solution.

Also, the html folder is owner by root:root, and everything inside it is owned by sftp-user:webgroup as I mentioned. Is this the correct ownership?

for the sake of completeness, here's the output of getfactl /var/www/html:

# file: html/
# owner: root
# group: root
user::rwx
group::r-x
group:webgroup:rw-
mask::rwx
other::r-x

Thank you.

location
  • 53
  • 6
  • As I understand `man 5 sshd_config`, the chroot must be owned by `root` and not be writable by anybody else. I don't know if `sshd` checks ACLs there (apparently so?), but I wonder how your `ChrootDirectory %h` ever worked then. Is setting `sftp-user`'s home to `/var/www/html` an option at all for you? – Ulrich Schwarz Jul 14 '20 at 15:40
  • I just changed the user's home as you suggested but no dice. I get the same error with the new homedir. – location Jul 14 '20 at 16:47

1 Answers1

0

I got this figured out. It looks like I was conflating different factors. Trying to work with sftp and ACL at the same time caused me to misdiagnose the problem. All credit to Ulrich Schwarz for essentially solving the problem.

To make it work, I had to make sure every directory in the path /var/www/html was owned by root as chroot jail apparently requires.

The other problem was that the permissions on html were changed to 775 at one point while I was trying to figure this out. I changed them to 755 and I was able to sftp into ChrootDirectory with no problem.

On the ACL front, the files in /var/www/html are owned by apache:apache, while the user is sftp-user in group webgroup. I simply gave the user rwX permissions:

setfacl -Rm u:sftp-user:rwX html

-m is modify, -R is recursive.

location
  • 53
  • 6