Chroot SFTP Users for Web Hosting Server.


A chroot on Unix operating systems is an operation that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name (and therefore normally not access) files outside the designated directory tree. The term “chroot” may refer to the chroot(2) system call or the chroot(8) wrapper program. The modified environment is called a “chroot jail”. From Wikipedia.

Why it is required? If you want to set up your Linux box as a web hosting server for its users, you may need to give SFTP access. But they can get access to whole system Linux tree, just for reading but still very unsecure. So it is mandatory to lock them in their home directory.

There are many other applications, it’s just a common example, so lets start its configuration.

Linux Box Detail:

Its mine Linux Box, your Linux system may vary. Only thing to take care is the openssh-server version, because openssh-server-5.3p1 support SFTP chroot. Older version supports but its tricky, please let me k now if you want to know that too.

Operating System: CentOS 6.3/x86_64

Kernel Version: 2.6.32-279.19.1.el6/x86_64

Openssh Server Version: openssh-server-5.3p1-81.el6_3/x86_64

chroot-ori1

sshd Server Configuration:

Add the following tail output to your Linux box’s SSH

server configuration file /etc/ssh/sshd_config.

[rahulpanwar@myhost ~]# tail -6 /etc/ssh/sshd_config
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
Match Group www-hosting
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no

Then restart sshd service to enable this configuration.

[rahulpanwar@myhost ~]# sudo /etc/init.d/sshd restart

Create Chroot Users:

[rahulpanwar@myhost ~]# sudo mkdir /etc/skel/public_html
[rahulpanwar@myhost ~]# sudo groupadd www-hosting
[rahulpanwar@myhost ~]# sudo useradd -s /sbin/nologin -g www-hosting linuxexplore.com

Setting Permissions:

[rahulpanwar@myhost ~]# sudo chown root:www-hosting /home/linuxexplore.com
[rahulpanwar@myhost ~]# sudo chmod 755 /home/linuxexplore.com

That’s all now create multiple users for web hosting, and offer the secure sftp access to your customers.

Shell Script to Create Web Hosting Users:

#!/bin/bash
HOSTING_DIR="/etc/skel/public_html"
CHROOT_GRP="www-hosting"
USR_NAME="$1"

[ ! -d "$HOSTING_DIR" ] && mkdir -p $HOSTING_DIR
grep ^"${CHROOT_GRP}:" /etc/group || /usr/sbin/groupadd www-hosting
grep ^"${USR_NAMEP}:" /etc/passwd || /usr/sbin/useradd -s /sbin/nologin -g $CHROO_GRP $USR_NAME
chown root:$CHROOT_GRP /home/$USR_NAME
chmod 755 /home/$USR_NAME

Selinux Configuration:

Disable the selinux permanently or configure it for read write user’s home directory in SSH chroot.

[rahulpanwar@myhost ~]# sudo setsebool -P ssh_chroot_rw_homedirs on
[rahulpanwar@myhost ~]# sudo restorecon -R /home/$USERNAME

Troubleshooting

From: https://wiki.archlinux.org/index.php/SFTP-chroot

sshd[3505]: fatal: bad ownership or modes for chroot directory "/home/linuxexplore.com"

It’s ChrootDirectory ownership problem, sshd will reject sftp connections to accounts that are set to chroot into any directory that has ownership/permissions that sshd doesn’t consider secure. sshd’s apparently strict ownership/permissions requirements dictate that every directory in the chroot path must be owned by root and only writable for the owner. So, for example, if the chroot environment is in a user’s home directory both /home and /home/username must be owned by root and have permissions like 755 or 750 ( group ownership should allow user to access ).

If you are using sftp with public key check the following link:

http://www.centos.org/modules/newbb/viewtopic.php?topic_id=37903&forum=59

If chroot environment is in user’s home directory, make sure user have access to its home directory, or user would not be able to access its publickey, produce the error given in above CentOS forum link.

About these ads

6 thoughts on “Chroot SFTP Users for Web Hosting Server.

  1. Pingback: CentOS 6.3 sftp chroot jail - Page 2

  2. Thanks for a really well written article Rahul. When setting up using this method, it would appear that PHP run from inside these newly created directories is unable to execute due to a permissions issue. PHP runs as user apache but in this article we’re using www-hosting. Do you have any advice on how to get the PHP scripts to run please?

    • Do you try UserDir option in httpd configuration? I don’t know it will work but it is written in httpd.conf document “it can confirm the presence of a username on the system (depending on home directory permissions)”.

      • Thanks for your help Rahul. Unfortunately this is not the solution, as user dir is for when you have a single domain with users branching of it. In my case, I have multiple domains, and am using the Virtual Host feature of the httpd.conf file. Appreciate your efforts though. I shall continue my search.

  3. Pingback: » Linuxaria – Everything about GNU/Linux and Open source How to Chroot SFTP Users on Linux for maximum security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s