Page 1 of 1

Trap User In Directory Tree

Posted: Wed Aug 01, 2018 8:15 pm
by rukokahn
Hey all!

I have an issue I have never run into.

I want to trap users logging into my Pi in a directory tree.

I have an external drive mounted via USB at:

/mnt/Files/

I have edited .bashrc to start the users in:

/mnt/Files/Share/

I want to trap these user in /mnt/Files/Share/, I don't want the to be able to go lower in the directory tree. For example, I do not want them to be able to "cd .." to go lower, but they should be able to use "cd" to go higher on the tree, use "ls", "mkdir", etc... I just want them stuck where they are and not be able to reach "cd /".

Is this possible? i know you can take away "cd", "ls", "mkdir", etc, but that's not what I want. They will be using WinSCP to dump files via SSH, and I don't want them to be able to reach other directory structures like /etc/fstab!!!

Thoughts??? Thanks in advance

Re: Trap User In Directory Tree

Posted: Wed Aug 01, 2018 9:20 pm
by DougieLawson
How are they accessing your filesystem?

chroot is the way to lock a user to a specific part of the filesystem. They can't access anything above the point where you run the chroot. (A chroot jail is often used for an ftp server to give some level of protection.)

Re: Trap User In Directory Tree

Posted: Thu Aug 02, 2018 12:57 am
by rukokahn
Thanks for the reply.

For testing, I have been logging the users in via SSH. Ultimately, the users will be logging in with WinSCP to store and move files around.

Re: Trap User In Directory Tree

Posted: Thu Aug 02, 2018 7:41 am
by DougieLawson

Re: Trap User In Directory Tree

Posted: Thu Aug 02, 2018 9:07 am
by tpyo kingg
rukokahn wrote:
Thu Aug 02, 2018 12:57 am
For testing, I have been logging the users in via SSH. Ultimately, the users will be logging in with WinSCP to store and move files around.
If they don't need shell access then chrooting is easy. If they do need an interactive shell, the see the above link. It's a pain.

If you can get by with only SFTP, then that is best. Despite the name, WinSCP supports SFTP and that is relatively easy to chroot. See "man sshd_config" on the server and look for the ChrootDirectory and ForceCommand directives. The only gotcha is that ChrootDirectory must point to a directory owned by root and not writable by anyone other than root. Files and subdirectories can by owned or writable by anyone however.

So if you have these permissions on the destination system:

Code: Select all

sudo addgroup sftponly;  # once only

sudo gpasswd --add user1 sftponly
sudo chown root:user1 /home/user1/
sudo chmod u=rwx,g=rx,o= /home/user1/

sudo mkdir /home/user1/user1/
sudo chown user1:user1 /home/user1/user1/
Then in the OpenSSH server's configuration on the destination machine, append:

Code: Select all

Match Group sftponly
        ChrootDirectory /home/%u
        AllowTCPForwarding no
        X11Forwarding no
        ForceCommand internal-sftp -d %u
And then have the OpenSSH server reload the configuration file.

Edit: "sudo chown root:root /home/user1/" -> sudo chown root:user1 /home/user1/

Re: Trap User In Directory Tree

Posted: Mon Oct 15, 2018 8:25 pm
by IJMOO
This is driving me nuts.... followed this to the letter and all I get is

Code: Select all

Status:	Connecting to 192.168.1.21...
Status:	Connected to 192.168.1.21
Status:	Retrieving directory listing...
Status:	Listing directory /
Error:	Unable to open .: permission denied

Correction to chown

Posted: Tue Oct 16, 2018 4:59 am
by tpyo kingg
Apologies. There is an error (typo?) in the chown line:

It says "sudo chown root:root /home/user1/"

and it should be instead "sudo chown root:user1 /home/user1/"

The chroot target directory needs at least x permissions for the group and the group has to be one which allows the account to actually take advantage of those permissions. rx is ok too.

I should copy/paste and not re-key. I've fixed it above with an edit and annotated it.