rukokahn
Posts: 2
Joined: Wed Aug 01, 2018 8:03 pm

Trap User In Directory Tree

Wed Aug 01, 2018 8:15 pm

Hey all!

I have an issue I have never run into.

I want to trap users logging into my Pi in a directory tree.

I have an external drive mounted via USB at:

/mnt/Files/

I have edited .bashrc to start the users in:

/mnt/Files/Share/

I want to trap these user in /mnt/Files/Share/, I don't want the to be able to go lower in the directory tree. For example, I do not want them to be able to "cd .." to go lower, but they should be able to use "cd" to go higher on the tree, use "ls", "mkdir", etc... I just want them stuck where they are and not be able to reach "cd /".

Is this possible? i know you can take away "cd", "ls", "mkdir", etc, but that's not what I want. They will be using WinSCP to dump files via SSH, and I don't want them to be able to reach other directory structures like /etc/fstab!!!

Thoughts??? Thanks in advance

User avatar
DougieLawson
Posts: 34144
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website

Re: Trap User In Directory Tree

Wed Aug 01, 2018 9:20 pm

How are they accessing your filesystem?

chroot is the way to lock a user to a specific part of the filesystem. They can't access anything above the point where you run the chroot. (A chroot jail is often used for an ftp server to give some level of protection.)
Microprocessor, Raspberry Pi & Arduino Hacker
Mainframe database troubleshooter
MQTT Evangelist
Twitter: @DougieLawson

2012-18: 1B*5, 2B*2, B+, A+, Z, ZW, 3Bs*3, 3B+

Any DMs sent on Twitter will be answered next month.

rukokahn
Posts: 2
Joined: Wed Aug 01, 2018 8:03 pm

Re: Trap User In Directory Tree

Thu Aug 02, 2018 12:57 am

Thanks for the reply.

For testing, I have been logging the users in via SSH. Ultimately, the users will be logging in with WinSCP to store and move files around.

User avatar
DougieLawson
Posts: 34144
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website

Re: Trap User In Directory Tree

Thu Aug 02, 2018 7:41 am

Microprocessor, Raspberry Pi & Arduino Hacker
Mainframe database troubleshooter
MQTT Evangelist
Twitter: @DougieLawson

2012-18: 1B*5, 2B*2, B+, A+, Z, ZW, 3Bs*3, 3B+

Any DMs sent on Twitter will be answered next month.

tpyo kingg
Posts: 321
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: Trap User In Directory Tree

Thu Aug 02, 2018 9:07 am

rukokahn wrote:
Thu Aug 02, 2018 12:57 am
For testing, I have been logging the users in via SSH. Ultimately, the users will be logging in with WinSCP to store and move files around.
If they don't need shell access then chrooting is easy. If they do need an interactive shell, the see the above link. It's a pain.

If you can get by with only SFTP, then that is best. Despite the name, WinSCP supports SFTP and that is relatively easy to chroot. See "man sshd_config" on the server and look for the ChrootDirectory and ForceCommand directives. The only gotcha is that ChrootDirectory must point to a directory owned by root and not writable by anyone other than root. Files and subdirectories can by owned or writable by anyone however.

So if you have these permissions on the destination system:

Code: Select all

sudo addgroup sftponly;  # once only

sudo gpasswd --add user1 sftponly
sudo chown root:user1 /home/user1/
sudo chmod u=rwx,g=rx,o= /home/user1/

sudo mkdir /home/user1/user1/
sudo chown user1:user1 /home/user1/user1/
Then in the OpenSSH server's configuration on the destination machine, append:

Code: Select all

Match Group sftponly
        ChrootDirectory /home/%u
        AllowTCPForwarding no
        X11Forwarding no
        ForceCommand internal-sftp -d %u
And then have the OpenSSH server reload the configuration file.

Edit: "sudo chown root:root /home/user1/" -> sudo chown root:user1 /home/user1/
Last edited by tpyo kingg on Tue Oct 16, 2018 4:54 am, edited 1 time in total.

IJMOO
Posts: 1
Joined: Mon Oct 15, 2018 8:21 pm

Re: Trap User In Directory Tree

Mon Oct 15, 2018 8:25 pm

This is driving me nuts.... followed this to the letter and all I get is

Code: Select all

Status:	Connecting to 192.168.1.21...
Status:	Connected to 192.168.1.21
Status:	Retrieving directory listing...
Status:	Listing directory /
Error:	Unable to open .: permission denied

tpyo kingg
Posts: 321
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Correction to chown

Tue Oct 16, 2018 4:59 am

Apologies. There is an error (typo?) in the chown line:

It says "sudo chown root:root /home/user1/"

and it should be instead "sudo chown root:user1 /home/user1/"

The chroot target directory needs at least x permissions for the group and the group has to be one which allows the account to actually take advantage of those permissions. rx is ok too.

I should copy/paste and not re-key. I've fixed it above with an edit and annotated it.

Return to “Raspbian”