RedHat: chroot user to subfolder with a different user chroot'd to the parent folder











up vote
1
down vote

favorite
1












I have a RedHat server with SFTP enabled and a few accounts, this server is currently being accessed by an application to read the user's respective files, they do not have Write access. The server is also not on the same domain/network, but ports/firewalls are configured for access.



The current setup includes the following directory structure and permissions:



/sftp / users / user1 / data / FilesAndFolders
sftp: 755 root:root
users: 755 root:root
user1: 754 root:user1
subfolders: 554 user1:user1


The users are set up with CHROOT via the below:



Match Group user1
x11Forwarding no
AllowTcpForwarding no
ChrootDirectory /sftp/users/user1
ForceCommand internal-sftp


This allows the users access to their respective folders with Read-Only access.



My issue is that I cannot seem to create a "SFTP Manager" type of account, that would have Read/Write access to the whole SFTP folder, AND be CHROOT'd to the SFTP folder (or the Data folder, either is OK).



The issue appears to be how the CHROOT is set up, with the current setup you will encounter errors when connecting via FileZilla if the CHROOT is set to the "users" folder or any of the subfolders, it has to be the user1 folder.



Any suggestions or pointers would be greatly appreciated (I feel like i've missed something obvious), i'm also open to alternatives that allow the following:




  • Users are locked to only seeing their files with Read-Only.

  • A manager account that has Read/Write to all the users folders.

  • Can be set up within a Linux distro and isn't overly "hackey" to access via C# (hackey eg Windows shared folder mappings).

  • Is moderately secure/uses username and password to access.


EDIT: I believe this is a very similar issue to this one which is unsolved.










share|improve this question







New contributor




Erik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
























    up vote
    1
    down vote

    favorite
    1












    I have a RedHat server with SFTP enabled and a few accounts, this server is currently being accessed by an application to read the user's respective files, they do not have Write access. The server is also not on the same domain/network, but ports/firewalls are configured for access.



    The current setup includes the following directory structure and permissions:



    /sftp / users / user1 / data / FilesAndFolders
    sftp: 755 root:root
    users: 755 root:root
    user1: 754 root:user1
    subfolders: 554 user1:user1


    The users are set up with CHROOT via the below:



    Match Group user1
    x11Forwarding no
    AllowTcpForwarding no
    ChrootDirectory /sftp/users/user1
    ForceCommand internal-sftp


    This allows the users access to their respective folders with Read-Only access.



    My issue is that I cannot seem to create a "SFTP Manager" type of account, that would have Read/Write access to the whole SFTP folder, AND be CHROOT'd to the SFTP folder (or the Data folder, either is OK).



    The issue appears to be how the CHROOT is set up, with the current setup you will encounter errors when connecting via FileZilla if the CHROOT is set to the "users" folder or any of the subfolders, it has to be the user1 folder.



    Any suggestions or pointers would be greatly appreciated (I feel like i've missed something obvious), i'm also open to alternatives that allow the following:




    • Users are locked to only seeing their files with Read-Only.

    • A manager account that has Read/Write to all the users folders.

    • Can be set up within a Linux distro and isn't overly "hackey" to access via C# (hackey eg Windows shared folder mappings).

    • Is moderately secure/uses username and password to access.


    EDIT: I believe this is a very similar issue to this one which is unsolved.










    share|improve this question







    New contributor




    Erik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.






















      up vote
      1
      down vote

      favorite
      1









      up vote
      1
      down vote

      favorite
      1






      1





      I have a RedHat server with SFTP enabled and a few accounts, this server is currently being accessed by an application to read the user's respective files, they do not have Write access. The server is also not on the same domain/network, but ports/firewalls are configured for access.



      The current setup includes the following directory structure and permissions:



      /sftp / users / user1 / data / FilesAndFolders
      sftp: 755 root:root
      users: 755 root:root
      user1: 754 root:user1
      subfolders: 554 user1:user1


      The users are set up with CHROOT via the below:



      Match Group user1
      x11Forwarding no
      AllowTcpForwarding no
      ChrootDirectory /sftp/users/user1
      ForceCommand internal-sftp


      This allows the users access to their respective folders with Read-Only access.



      My issue is that I cannot seem to create a "SFTP Manager" type of account, that would have Read/Write access to the whole SFTP folder, AND be CHROOT'd to the SFTP folder (or the Data folder, either is OK).



      The issue appears to be how the CHROOT is set up, with the current setup you will encounter errors when connecting via FileZilla if the CHROOT is set to the "users" folder or any of the subfolders, it has to be the user1 folder.



      Any suggestions or pointers would be greatly appreciated (I feel like i've missed something obvious), i'm also open to alternatives that allow the following:




      • Users are locked to only seeing their files with Read-Only.

      • A manager account that has Read/Write to all the users folders.

      • Can be set up within a Linux distro and isn't overly "hackey" to access via C# (hackey eg Windows shared folder mappings).

      • Is moderately secure/uses username and password to access.


      EDIT: I believe this is a very similar issue to this one which is unsolved.










      share|improve this question







      New contributor




      Erik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      I have a RedHat server with SFTP enabled and a few accounts, this server is currently being accessed by an application to read the user's respective files, they do not have Write access. The server is also not on the same domain/network, but ports/firewalls are configured for access.



      The current setup includes the following directory structure and permissions:



      /sftp / users / user1 / data / FilesAndFolders
      sftp: 755 root:root
      users: 755 root:root
      user1: 754 root:user1
      subfolders: 554 user1:user1


      The users are set up with CHROOT via the below:



      Match Group user1
      x11Forwarding no
      AllowTcpForwarding no
      ChrootDirectory /sftp/users/user1
      ForceCommand internal-sftp


      This allows the users access to their respective folders with Read-Only access.



      My issue is that I cannot seem to create a "SFTP Manager" type of account, that would have Read/Write access to the whole SFTP folder, AND be CHROOT'd to the SFTP folder (or the Data folder, either is OK).



      The issue appears to be how the CHROOT is set up, with the current setup you will encounter errors when connecting via FileZilla if the CHROOT is set to the "users" folder or any of the subfolders, it has to be the user1 folder.



      Any suggestions or pointers would be greatly appreciated (I feel like i've missed something obvious), i'm also open to alternatives that allow the following:




      • Users are locked to only seeing their files with Read-Only.

      • A manager account that has Read/Write to all the users folders.

      • Can be set up within a Linux distro and isn't overly "hackey" to access via C# (hackey eg Windows shared folder mappings).

      • Is moderately secure/uses username and password to access.


      EDIT: I believe this is a very similar issue to this one which is unsolved.







      file-permissions redhat-enterprise-linux sftp chroot-jail






      share|improve this question







      New contributor




      Erik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question







      New contributor




      Erik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question






      New contributor




      Erik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked Nov 15 at 12:22









      Erik

      61




      61




      New contributor




      Erik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      Erik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      Erik is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.



























          active

          oldest

          votes











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "3"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });






          Erik is a new contributor. Be nice, and check out our Code of Conduct.










           

          draft saved


          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1375660%2fredhat-chroot-user-to-subfolder-with-a-different-user-chrootd-to-the-parent-fo%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown






























          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          Erik is a new contributor. Be nice, and check out our Code of Conduct.










           

          draft saved


          draft discarded


















          Erik is a new contributor. Be nice, and check out our Code of Conduct.













          Erik is a new contributor. Be nice, and check out our Code of Conduct.












          Erik is a new contributor. Be nice, and check out our Code of Conduct.















           


          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1375660%2fredhat-chroot-user-to-subfolder-with-a-different-user-chrootd-to-the-parent-fo%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          AnyDesk - Fatal Program Failure

          How to calibrate 16:9 built-in touch-screen to a 4:3 resolution?

          QoS: MAC-Priority for clients behind a repeater