RedHat: chroot user to subfolder with a different user chroot'd to the parent folder
up vote
1
down vote
favorite
I have a RedHat server with SFTP enabled and a few accounts, this server is currently being accessed by an application to read the user's respective files, they do not have Write access. The server is also not on the same domain/network, but ports/firewalls are configured for access.
The current setup includes the following directory structure and permissions:
/sftp / users / user1 / data / FilesAndFolders
sftp: 755 root:root
users: 755 root:root
user1: 754 root:user1
subfolders: 554 user1:user1
The users are set up with CHROOT via the below:
Match Group user1
x11Forwarding no
AllowTcpForwarding no
ChrootDirectory /sftp/users/user1
ForceCommand internal-sftp
This allows the users access to their respective folders with Read-Only access.
My issue is that I cannot seem to create a "SFTP Manager" type of account, that would have Read/Write access to the whole SFTP folder, AND be CHROOT'd to the SFTP folder (or the Data folder, either is OK).
The issue appears to be how the CHROOT is set up, with the current setup you will encounter errors when connecting via FileZilla if the CHROOT is set to the "users" folder or any of the subfolders, it has to be the user1 folder.
Any suggestions or pointers would be greatly appreciated (I feel like i've missed something obvious), i'm also open to alternatives that allow the following:
- Users are locked to only seeing their files with Read-Only.
- A manager account that has Read/Write to all the users folders.
- Can be set up within a Linux distro and isn't overly "hackey" to access via C# (hackey eg Windows shared folder mappings).
- Is moderately secure/uses username and password to access.
EDIT: I believe this is a very similar issue to this one which is unsolved.
file-permissions redhat-enterprise-linux sftp chroot-jail
asked Nov 15 at 12:22
Erik
61
New contributor
Erik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
up vote
1
down vote
favorite
I have a RedHat server with SFTP enabled and a few accounts, this server is currently being accessed by an application to read the user's respective files, they do not have Write access. The server is also not on the same domain/network, but ports/firewalls are configured for access.
The current setup includes the following directory structure and permissions:
/sftp / users / user1 / data / FilesAndFolders
sftp: 755 root:root
users: 755 root:root
user1: 754 root:user1
subfolders: 554 user1:user1
The users are set up with CHROOT via the below:
Match Group user1
x11Forwarding no
AllowTcpForwarding no
ChrootDirectory /sftp/users/user1
ForceCommand internal-sftp
This allows the users access to their respective folders with Read-Only access.
My issue is that I cannot seem to create a "SFTP Manager" type of account, that would have Read/Write access to the whole SFTP folder, AND be CHROOT'd to the SFTP folder (or the Data folder, either is OK).
The issue appears to be how the CHROOT is set up, with the current setup you will encounter errors when connecting via FileZilla if the CHROOT is set to the "users" folder or any of the subfolders, it has to be the user1 folder.
Any suggestions or pointers would be greatly appreciated (I feel like i've missed something obvious), i'm also open to alternatives that allow the following:
- Users are locked to only seeing their files with Read-Only.
- A manager account that has Read/Write to all the users folders.
- Can be set up within a Linux distro and isn't overly "hackey" to access via C# (hackey eg Windows shared folder mappings).
- Is moderately secure/uses username and password to access.
EDIT: I believe this is a very similar issue to this one which is unsolved.
file-permissions redhat-enterprise-linux sftp chroot-jail
asked Nov 15 at 12:22
Erik
61
New contributor
Erik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I have a RedHat server with SFTP enabled and a few accounts, this server is currently being accessed by an application to read the user's respective files, they do not have Write access. The server is also not on the same domain/network, but ports/firewalls are configured for access.
The current setup includes the following directory structure and permissions:
/sftp / users / user1 / data / FilesAndFolders
sftp: 755 root:root
users: 755 root:root
user1: 754 root:user1
subfolders: 554 user1:user1
The users are set up with CHROOT via the below:
Match Group user1
x11Forwarding no
AllowTcpForwarding no
ChrootDirectory /sftp/users/user1
ForceCommand internal-sftp
This allows the users access to their respective folders with Read-Only access.
My issue is that I cannot seem to create a "SFTP Manager" type of account, that would have Read/Write access to the whole SFTP folder, AND be CHROOT'd to the SFTP folder (or the Data folder, either is OK).
The issue appears to be how the CHROOT is set up, with the current setup you will encounter errors when connecting via FileZilla if the CHROOT is set to the "users" folder or any of the subfolders, it has to be the user1 folder.
Any suggestions or pointers would be greatly appreciated (I feel like i've missed something obvious), i'm also open to alternatives that allow the following:
- Users are locked to only seeing their files with Read-Only.
- A manager account that has Read/Write to all the users folders.
- Can be set up within a Linux distro and isn't overly "hackey" to access via C# (hackey eg Windows shared folder mappings).
- Is moderately secure/uses username and password to access.
EDIT: I believe this is a very similar issue to this one which is unsolved.
file-permissions redhat-enterprise-linux sftp chroot-jail
asked Nov 15 at 12:22
Erik
61
New contributor
Erik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I have a RedHat server with SFTP enabled and a few accounts, this server is currently being accessed by an application to read the user's respective files, they do not have Write access. The server is also not on the same domain/network, but ports/firewalls are configured for access.
The current setup includes the following directory structure and permissions:
/sftp / users / user1 / data / FilesAndFolders
sftp: 755 root:root
users: 755 root:root
user1: 754 root:user1
subfolders: 554 user1:user1
The users are set up with CHROOT via the below:
Match Group user1
x11Forwarding no
AllowTcpForwarding no
ChrootDirectory /sftp/users/user1
ForceCommand internal-sftp
This allows the users access to their respective folders with Read-Only access.
My issue is that I cannot seem to create a "SFTP Manager" type of account, that would have Read/Write access to the whole SFTP folder, AND be CHROOT'd to the SFTP folder (or the Data folder, either is OK).
The issue appears to be how the CHROOT is set up, with the current setup you will encounter errors when connecting via FileZilla if the CHROOT is set to the "users" folder or any of the subfolders, it has to be the user1 folder.
Any suggestions or pointers would be greatly appreciated (I feel like i've missed something obvious), i'm also open to alternatives that allow the following:
- Users are locked to only seeing their files with Read-Only.
- A manager account that has Read/Write to all the users folders.
- Can be set up within a Linux distro and isn't overly "hackey" to access via C# (hackey eg Windows shared folder mappings).
- Is moderately secure/uses username and password to access.
EDIT: I believe this is a very similar issue to this one which is unsolved.
file-permissions redhat-enterprise-linux sftp chroot-jail
file-permissions redhat-enterprise-linux sftp chroot-jail
asked Nov 15 at 12:22
Erik
61
New contributor
Erik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked Nov 15 at 12:22
Erik
61
New contributor
Erik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked Nov 15 at 12:22
Erik
61
New contributor
Erik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked Nov 15 at 12:22
Erik
61
asked Nov 15 at 12:22
Erik
61
61
New contributor
Erik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Erik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Erik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Erik is a new contributor. Be nice, and check out our Code of Conduct.
Erik is a new contributor. Be nice, and check out our Code of Conduct.
Erik is a new contributor. Be nice, and check out our Code of Conduct.
Erik is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1375660%2fredhat-chroot-user-to-subfolder-with-a-different-user-chrootd-to-the-parent-fo%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
