sftp jail in mount point

[elfresno]

500/5000
Hi, I make a request. I create a user and jail it to a folder for sftp with openssh, all right here, I open the filezila and I can see the caged folder and read but not write, the folder is a pendrive mount point and belongs to root, so I make the owner of the folder to this user, but now the filezila does not connect, however the pendrive is mounted and the user owns it. someone wanted to do something like this or know how to solve it? Thank you,

PS: I'm mount it with etc / fstab

[tpyo kingg]

The first way you had it, where you could not write, was the correct start but needs to be followed by one of two possible solutions to actually become writable.

Option 1) populate the chroot directory with individual files and subdirectories and manually change those to be owned by the normal account. That is not very flexible but works.

Option 2) just make a whole new subdirectory, change ownership of it to the normal account, and have the SFTP server start the account there. So if you have an account 'pi' and it is chrooted to /home/pi/ which is owned by root, also make /home/pi/pi/ and make that owned by 'pi'. Then use the -d option with the SFTP server to start the account there upon login:

Code: Select all

Match Group sftponly
	ChrootDirectory %h
	AllowTCPForwarding no
	X11Forwarding no
	ForceCommand internal-sftp -d %u

For what it is worth, that subdirectory can be the mount point which you've set in /etc/fstab.

.

The background for this situation is hinted at in the manual page for sshd_config

ChrootDirectory
...
For safety, it is very important that the directory hierarchy be
prevented from modification by other processes on the system
(especially those outside the jail). Misconfiguration can lead
to unsafe environments which sshd(8) cannot detect.

So you must have the chroot target be writable only by root in order to avoid escapes