Jephe Wu - http://linuxtechres.blogspot.com
Objective: let normal user accounts to be able to delete all files under /usr/local/tomcat/files/ directory and chroot to /usr/local/ after sftp.
Environment: CentOS 5.4, openssh 5.X, /usr/local/tomcat and all subdirectories are owned by tomcat:tomcat
Challenges:
1. default CentOS 5.4 doesn't come with the version of Openssh which is able to do chroot.
2. openssh internfal-sftp chroot requires all components of the pathname must be root-owned directories that are not writable by any other user or group, so we cannot chroot to /usr/local/tomcat/files directory, as tomcat is owned by tomcat , not root.
3. /usr/local/tomcat/files is owned by tomcat, not user accounts. So, although we can chroot to /usr/local/, we still need to let user acounts to be able to delete files.
Approach:
1. install the latest openssh 5.X
2. use chroot feature with internal-sftp, user can only use sftp, not shell, and chroot to /usr/local after that since /usr/local is owned by root.
3. use acl feature to set acl to be able to write for folder /usr/local/tomcat/files, but not able to list files under /usr/local/tomcat
Steps:
1. download and install openssh 5.x (./configure;make;make install to /usr/local/)
or you can check this page to install compiled RPM:
http://linuxadminzone.com/quickly-upgrade-ssh-openssh-in-centos-linux-to-latest-5-5-version/
2. configure /usr/local/etc/sshd_config as follows:
Subsystem sftp internal-sftp [-u 0002]
Match group chrooted
ChrootDirectory /usr/local/
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp [-u 0002]
Note: -u 0002 to specify umask for user after login, you can give
/usr/local as root:sftp -R and 755 -R
/usr/local/XXXX as apache:sftp -R and chmod 775 -R and chgrp g+ws XXXX -R
so that 2 users can share the work on the project.
Note: if you want to setup a chrooted sftp only environment for all users belongs to sftponly group. You can do this:
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
or
Match Group sftponly
ChrootDirectory /sftponly
ForceCommand internal-sftp
note: You can give root:sftponly permission to /sftponly directory, if you'd like
to restrict users from writing to that folder, don't give write permission for group.
or create a subfolder under /sftponly then give write permission to that subfolder only, instead of parent folder.
3.create user account jephe:
useradd jephe
groupadd chrooted
usermod jephe -G chrooted
4. mount the partition which the folder /usr/local/ belongs to with acl options
5. set acl for user jephe
setfacl -m u:jephe:x /usr/local/tomcat/
setfacl -m u:jephe:rwx /usr/local/tomcat/files
Note: so, now user jephe is able to delete any files under /usr/local/tomcat/files, but cannot list any other files under /usr/local/tomcat directory. User can configure winscp to direct switch to /tomcat/files(/usr/local becomes / after chroot for user)
Posts
