Score:0

Create ubuntu user with home folder located in www and restrict ssh access using ChrootDirectory to that folder

bq flag

I posted this on stackoverflow and was told to post here:

I am running a Ubuntu remote dev server, heavily restricted (due to compliance) environment which i previously had configured correctly for many devs a year ago but forgotten it.

On this sever i log in as root and have my own folder in

/var/www/me/laravel 

and everything works fine, i am now adding new users to this server but can't get it working.

In this case i want to create a user called "mike" and allow him to have full read, write and execute permissions in his folder (to run multiple applications laravel and angular) located in

/var/www/mike 

For applications served by apache.

mike will remote ssh onto the server using his ubuntu username / password and be restricted to his folder and only work on projects it's subfolders, not being able to move outside of his home directory but have full control all the folders in this directory to remotely develop.

So far i have:

sudo useradd -m -d /var/www/mike mike
sudo passwd mike
sudo chmod 700 /var/www/mike
sudo nano /etc/ssh/sshd_config  

Then i add the below to the file and restart the ssh service:

add:Match User mike 
    PasswordAuthentication yes
    AllowTCPForwarding no
    #ForceCommand internal-sftp
    ChrootDirectory /var/www/mike

sudo service ssh restart

if i enable

ChrootDirectory /var/www/mike

mike cannot log into the server, if i comment out ChrootDirectory mike can log in fine but still navigate into root, just not other users folders if i give them each chmod 700 but then it messes with apache to serve the application in those folders.

i've tired following this:

https://unix.stackexchange.com/questions/542440/how-does-chrootdirectory-and-a-users-home-directory-work-together

and i have set

 /var/www/mike 

as

 chown root:root /var/www/mike

with

 chmod 755 /var/www/mike

then created a folder

 /var/www/mike/home

and gave it it

chown mike: /var/www/mike/home
chmod 750 /var/www/mike/home
usermod =d /var/www/mike/home mike

if i try then set

 ChrootDirectory /var/www/%u

it allows me to log in but in the auth.log after the session opened for mike, i see

 error: /dev/pts/0: No such file or directory

Also in regards to laravel set up with this chroot i cannot remember if i should add

usermod -a -G users www-data

Then i need to allow Apache www-data to serve this directories public folder and have the correct permissions for laravel storage, cache etc to execute by apache.

I tried

cd /var/www/mike/home/laravel

sudo chown -R mike:www-data

to give both the user and the webserver permissions:

sudo find . -type f -exec chmod 664 {} \;   
sudo find . -type d -exec chmod 775 {} \;

so the webserver has rights to read and write to storage and cache

sudo chgrp -R www-data storage bootstrap/cache
sudo chmod -R ug+rwx storage bootstrap/cache

Can any one tell me what i am doing wrong?

ir flag
Hi! Interesting question! Just guessing, but a restriction on the directory used as ChrootDirectory is that all components of the pathname must be root-owned directories that are not writable by any other user or group. Is that true in your case?
user1529597 avatar
bq flag
I'm not entirely sure if they are or not - i created a brand new user from scratch for testing the /var/www/mike directory is root:root with 755 permissions - then the home folder which i can ssh into but hangs up due to the error: /dev/pts/0: No such file or directory. Is all this about mouting dev/pts in /var/www/mike/dev/pts ? Sorry i'm not super strong on linxu so trying to figure it out the hard way :(
ir flag
What do the `journalctl` logs say when user mike tries to log in? Also BTW I'm not familiar with ssh's ChrootDirectory but there may be some clues here https://unix.stackexchange.com/questions/542440/how-does-chrootdirectory-and-a-users-home-directory-work-together
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.