sftp icon indicating copy to clipboard operation
sftp copied to clipboard

Published 20 hours ago verified publisher icon atmoz

Issue with home directory

Open SteveEdson opened this issue 5 years ago • 4 comments

If I have a user config setup like so:

steve:123:::upload

The upload directory is created, but when I SFTP, the user is still one level up. This feels insecure as the user can see the .ssh directory and add any additional keys etc. Is it possible to force the user into the upload dir by default, so they can't get to their root home directory?

My setup is:

version: '3.3'
services:
  sftp:
    image: atmoz/sftp:alpine
    volumes:
      - ./users.conf:/etc/sftp/users.conf:ro
      - ./upload:/home
      - ./ssh_host_ed25519_key:/etc/ssh/ssh_host_ed25519_key
      - ./ssh_host_rsa_key:/etc/ssh/ssh_host_rsa_key

SteveEdson avatar Feb 18 '20 09:02 SteveEdson

Yes, I also would like to know is it possible to restrict user to a certain directory with write access. See also https://github.com/atmoz/sftp/issues/190

No response and no comments after half a year.

AndrewSav avatar Mar 02 '20 01:03 AndrewSav

The upload directory is created, but when I SFTP, the user is still one level up. This feels insecure as the user can see the .ssh directory and add any additional keys etc. Is it possible to force the user into the upload dir by default, so they can't get to their root home directory?

Same problem

mathias22osterhagen22 avatar May 13 '20 12:05 mathias22osterhagen22

So I just tested using a custom sshd_config where a subdir is used as chroot instead. This will limit the user's access to .ssh and other files/dirs directly under the user's home dir. You still have to create subdirs inside the chroot to let the users upload files, that is just the nature of chroot.

See 55900d4 for tips on how to do this.

atmoz avatar Jul 14 '20 20:07 atmoz

I don't know if this issue was resolved for anybody, but as of Jan 6,2022 I found the same issue w/ the .ssh folder and public key being visible/accessible. For security reasons, I too don't want the user to be able to view/change the public key. My use case is simple without a lot of users. The solution was to make two simple changes and rebuild the image, one to the create-sftp-user script and the other to the ssh_config file. With those changes the user get's dropped into the sub directory created and not the user's home. This may not play nice with the user.conf [dir1,[dir2]] feature as I haven't spent time reviewing that.

The two changes I made was in the create-sftp-user script so that it creates a "sftp" directory in the users home. It could be any name for that matter. The second was to add that "sftp" directory to the ChrootDirectory %h directive in the ssh_config file. Now a login drops the user into the "sftp" directory and is unable to traverse up to the users home directory. I can bind mount a host directory or volume to the /home/$USER/sftp directory and all is well.

~/development/Code/Docker/sftp-servers/atmoz master !3 ?1 ............................................................................... 7m 57s 08:37:07 AM
> git diff
diff --git a/files/create-sftp-user b/files/create-sftp-user
index 874264c..63ea9ca 100755
--- a/files/create-sftp-user
+++ b/files/create-sftp-user
@@ -66,7 +66,7 @@ if [ -n "$gid" ]; then
 fi
 
 useradd "${useraddOptions[@]}" "$user"
-mkdir -p "/home/$user"
+mkdir -p "/home/$user/sftp"
 chown root:root "/home/$user"
 chmod 755 "/home/$user"

diff --git a/files/sshd_config b/files/sshd_config
index 1308c8b..b9ba9a6 100644
--- a/files/sshd_config
+++ b/files/sshd_config
@@ -12,11 +12,13 @@ UseDNS no
 PermitRootLogin no
 X11Forwarding no
 AllowTcpForwarding no
 
 # Force sftp and chroot jail
 Subsystem sftp internal-sftp
 ForceCommand internal-sftp
-ChrootDirectory %h
+ChrootDirectory %h/sftp
 
 # Enable this for more logs
 #LogLevel VERBOSE


docker build -t atmoz/sftp-server .

./sftp-server/users.conf

testuser::1001:1001

./docker-compose.yml

---
version: "3.9"
services:
  sftp-server:
    image: atmoz/sftp-server
    volumes:
      # Defined users
      - ./sftp-server/users.conf:/etc/sftp/users.conf:ro

      # -----------------
      # Host SSH Key
      # -----------------
      - /home/services-admin/.ssh/sftp-host:/etc/ssh/ssh_host_ed25519_key:ro

      # -----------------
      # Users keys
      # -----------------
      # Example usage:
      # - ./sftp_users/users/<someuser>/<someuser>.pub:/home/<someuser>/.ssh/keys/id_ed25519.pub:ro

      - ./sftp-server/users/testuser/testuser.pub:/home/testuser/.ssh/keys/id_ed25519.pub:ro

      #  Mapped folders - per user
      - ./data:/home/testuser/sftp/data
    ports:
      - 2222:22
    restart: unless-stopped

tonydm avatar Jan 07 '22 16:01 tonydm