Chroot SFTP - Possible to allow user to write to current (chroot) directory

Solution 1:

Hey @emmdee It took me forever to realize there is a simple and nice trick to that. You just have to make root the owner of a parent folder to where you wanna sFTP, then use force command to tell a specific user to load a specific DIR inside the CHROOT directory.

In your case in case you want /home/sftpuser to be the writtable directory, you will have to make root the owner of /home directory then go ahead and Force Command he /sftpuser as a landing directory for that user or a group.

Your /etc/ssh/sshd_conf will look like this:

Match User sftpuser
    ChrootDirectory /home
    ForceCommand internal-sftp -d /sftpuser
    AllowTCPForwarding no
    X11Forwarding no

Once that is done you have to give the right permissions as said earlier, the root should own the parent(chroot) directory /home while the user should own the final(-d) directory /sftpuser. I am goin to assume that you have an sFTP users group called sftpusers, if not; just ommit the group from the next commands or replace it with the users instead (root in the first and sftpusers in the second). As we are using -R in the command line for inheritance, you will have to start with the root ownership before the user ownership as follows:

sudo chown -R root:sftpusers /home

then for the user you can run:

sudo chown -R sftpuser:sftpusers /home/sftpuser

I am not certain that this is needed but you can always restart sshd service to make sure that all settings are reloaded again:

sudo systemctl restart sshd.service

This should work like a charm hopefully, I had a similar problem and the solution was there looking at me in the eyes most of the time.


Solution 2:

I know its been a couple of years, but this post got me 98% of the way there. after searching for a long time.

To make it so that I can have users chrooted and automatically get them into their own directory with write permissions I used the method that African Idiot suggested, and also made the original chroot directory owned by root user and the ftp group.

But the key for me to keep them in that folder and not be able to .. and attempt to browse other users' folders, was to make the folder chmod 710 (rwx--x---) so that the ftp group had execute to do the internal-sftp -d /%u (ie cd into the users subdirectory) and now if I attempt to cd .. into the upper directory, because there's no read for anyone but root, it fails.

drwx--x---  6 root        sftpusers   uarch  6 Feb 19 15:34 ./
drwxr-xr-x  5 root        root        uarch  5 Feb  4 09:13 ../
drwxrwx---  3 anotheruser anotheruser uarch  3 Feb 24 15:34 anotheruser/
drwxrwx---  3 ftpuser     ftpuser     uarch 12 Feb 25 10:55 ftpuser/

hope this helps someone else too.