Restricting user access with ChrootDirectory

3 posts / 0 new
Last post
atbb
Offline
Last seen: 2 years 2 months ago
Joined: 22.04.2009 - 06:08
Restricting user access with ChrootDirectory

Hi folks,

For some reason ChrootDirectory configuration did not work for me.
Here is why. Basically, sshd will check if /chroot directory has
proper owner and access rights. No problem with owner and rights:

create /chroot/user1, /chroot/user2

chown SvcCOPSSH /chroot
chmod 0755 /chroot

Do not forget some changes in the sshd_config:

Subsystem sftp internal-sftp

Match user user1,user2
ForceCommand internal-sftp
AllowTcpForwarding no
ChrootDirectory /chroot/%u

But no luck. sshd keeps complaining:
sshd: PID 2448: fatal: bad ownership or modes for chroot directory component "/".

The problem is that sshd assumes that root has uid 0.
Open the passwd and change the uid to 0 for user SvcCOPSSH (0 after 2000/xp):
SvcCOPSSH:unused_by_nt/2000/xp:0:545:U-***\SvcCOPSSH,S-*-*-**-***-***-***-***:/var/:/bin/false

After service restart users are chrooted where they belong. No browsing.

Regards.
at

itefix
Offline
Last seen: 30 min 38 sec ago
Joined: 01.05.2008 - 21:33
There is no real chroot

There is no real chroot support in Cygwin. See a related Cygwin thread for more information.

atbb
Offline
Last seen: 2 years 2 months ago
Joined: 22.04.2009 - 06:08
ChrootDirectory

ChrootDirectory is the OpenSSH configuration that chroot sftp users using internal sftp subsystem. The real chroot is not involved.