SSH Permissions and chroot

Koda

8/11/24, 9:19 AM

Currently I use the following configuration

mkdir -p /var/www
chmod -R 555 /var/www
mkdir -p /var/www/user1
chown root:root /var/www/user1
useradd user1
usermod user1 -s /bin/false
usermod user1 -d /var/www/user1
mkdir -p /var/www/user1/html/com.domain.site1
chmod 750 /var/www/user1/html/com.domain.site1
chown -R user1:www-data /var/www/user1/html
chmod -R g+s /var/www/user1/html
groupadd allowSFTP
usermod -a -G allowSFTP user1

For SFTP Access I add this to sshd_conf

Subsystem sftp internal-sftp
Match Group allowSFTP
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTcpForwarding no
    X11Forwarding no

Thus, each user has access only to his own directories via SFTP.

Now I still have SSH enabled for the user

Match Group allowSFTPandSSH
    ChrootDirectory %h
    AllowTcpForwarding no
    X11Forwarding no

usermod user1 -s /bin/bash

How do I get the user to be trapped in his folder? With ChrootDirectory he can no longer log in because /bin/bash is no longer found.

If the user now uses e.g. npm or something else, there is an error, because the user has too few permissions in the folder "/var/www/user1/" folder or files like .npm, cache,... in the folder. I can create these as admin and then it works. But can I also change something so that the user has the permissions?

1 + 1

debian

ssh

kab00m

8/11/24, 10:58 AM

Putting any process in chroot without neccessary executables and libraries is not possible. The process can chroot itself, but that is not about login purposes. You have to put all necessary in chroot directory to let anyone log into it.

Score:1

Server

John Mahowald

8/21/24, 2:23 PM

Chroot for file transfers can be a good way to isolate incoming data from affecting the system. OpenSSH ForceCommand internal-sftp further enforces that the user can only run sftp commands, and as the implementation is built into sshd, no additional programs in the chroot are required.

However, allowing commands in the chroot changes things. Now you need to copy programs into there and keep them patched, a task that's not quite like maintaining a container image. File permissions need to allow what they are supposed to, which as you found out can be non trivial for tools like building packages. In general, it is possible to set up whatever role based access control you like with file permissions or acls. Although now you have no home directory and are just dumping files in the web server chroot.

Consider not allowing commands in this chroot. Users provide pre-built packages that get installed where they should go. Without use of package builders like npm. Several ways to do this, depending on your workflow. With a fancy CI/CD tooling, builds can be triggered from the version control, and eventually copied in via automatic process. Or the person builds it in a more manual process, then uses some deployment scripts that only know how to extract archives to the web root.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: SSH Permissions and chroot

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.