Set startup folder for SFTP to be other than /home/username is throwing me permission issues
Right I managed to get some advice at #openssh IRC channel and here is what was missing from my solution:
The directory specified in ChrootDirectory must be owned by root. Since in the above sshd_config file I have specified the %u variable so every user has their own root directory base on their username (e.g. testuser would be /mnt/inbound/testuser/) then all of those directories must be owned by root. This is in fact the default when I create the directories doing sudo mkdir /mnt/inbound/<username> since the mkdir command is elevate via sudo.
So what I needed to do is to create a sub-directory under /mnt/inbound/<username> and give that directory permission for the user. In my case I called this directory uploads.
So I changed my configuration slightly as follows:
Match Group sftponly # Chroot the connection into the specified directory ChrootDirectory /mnt/inbound/%u # Force the connection to use the built-in SFTP support ForceCommand internal-sftp -d /uploads
The ForceCommand line has been changed to include -d /uploads, meaning that the default directory after the user logs-in in is /uploads. Note that it is /uploads and not /mnt/inbound/%u/uploads because it takes into account that /mnt/inbound/%u has been specified as the new root in the previous line in the config.
If I do ChrootDirectory /mnt/inbound/ an then specify ForceCommand internal-sftp -d /%u, I could make the /mnt/inbound/<username> folder be owned by the end-user since /mnt/inbound is now the new root directory that must be owned by the root account. However users would be able to navigate to the parent folder and see the directory names of all other accounts. I decided against that :)
Thank you for posting your updated solution, @pmdci. I had to make a slight modification on my side to make it work in the /home directory for a given user in Ubuntu 18 - yes this is somewhat counter to your specific goal of using a non-home folder, but may help others trying to do similar.
Make a new system user (I'm calling this user "yournewuser" in this example) for your SFTP access (Ubuntu should automatically generate the home directory in the "adduser" input process), set the password, and add new user to group that you will be setting as the control group for SFTP, I'm calling this "yoursftpgroup" in this example.
If you do not want that user to login, set the following: sudo usermod -s /sbin/nologon yournewuser
As you pointed out, make sure the directory for the new user is owned by root with a "CHOWN root". Yes this should be done and sudo should take care of this, but I did this explicitly just in case...
Set the permissions (CHMOD) to 755 for this new user's directory "/home/newuser/" I did not have to use the -R switch (watch out with that one) Note: this should be the same permissions for the other users - at least in my case. Failure to do this will cause an access denied issue at SFTP logon (tested with WinSCP)
Make a new directory for your uploads in the /home/yournewuser/uploads. You likely had to do this as sudo, so now you need to shift ownership back to that user with yournewuser:yoursftpgroup CHOWN /home/yournewuser/uploads
Now set the permissions of that directory to 700: CHMOD 700 /home/yournewuser/uploads.
Change the /etc/ssh/sshd_config file with the following lines at the end (just a tweak of your lines for this case):
Subsystem sftp internal-sftp Match Group yoursftpgroup ChrootDirectory /home/%u X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp -d /uploadsRestart the SSH service with: sudo service ssh restart
Test access