How to create SFTP shared folder so multiple restricted and chroot Jailed users can access the same folder

You need to migrate windows based SFTP server to the RHEL platform to save cost and make it easy to manage.

To build a similar kind of environment as I have on windows, I need to create three types of user accounts, and as you know, chroot jailed means that the account is jailed and can’t get out of its home directory by ensuring no other users are affected. So this makes it a bit challenging.

Based on my requirement,

  1. Users should be restricted to their directories and not see OS directories, ensuring no other users are affected. 
  2. Some users will have FULL access to other user’s home directories.
  3. Some users will have read-only access to some other user’s fully shared directories.

There will be other solutions to fix this problem, but I am doing the easiest way I can think of.

I am going to discuss three scenarios.

Scenario #1: Create three SFTP jailed Chroot accounts, but one account should access the files of the other two accounts’ home directory.

I have created a folder structure as shown in the below table. You can see user03 home directory is one level up from the other two accounts.

UsersHome directories
User01/data/accounts/user01
User02/data/accounts/user02
accounts/data/accounts

create directories

mkdir -p /data/accounts/user01 ; mkdir -p /data/accounts/user02

Make the landing directories home directories.

create logins and directories, and you can also amend the /etc/passwd if you have created the user accounts and not added the home directories.

useradd  -d /data/accounts/user01 -s /sbin/nologin user01 ; useradd  -d /data/accounts/user02 -s /sbin/nologin user02

Make sure you have settled the password of your accounts

passwd <userName>

Add your account into the group named sftpusers

groupadd sftpusers 
usermod -aG sftpusers user01

Setup the appropriate permissions

chown user01:sftpusers /data/accounts/user01/internal ; chmod -R 755 /data/user01/internal
chown user02:sftpusers /data/accounts/user01/internal ; chmod -R 755 /data/user02/internal

Edit the sshd_config file

Edit the /etc/ssh/sshd_config and add the following lines.

Configure /etc/ssh/sshd_config

#Subsystem      sftp    /usr/libexec/openssh/sftp-server
Subsystem       sftp    internal-sftp

# BEGIN SFTP-Server sftpusers block

Match Group sftpusers
ChrootDirectory  %h
AllowTcpForwarding no
ForceCommand internal-sftp
X11Forwarding no

#End group sftpusers configuration

Restart the SSHD service

systemctl restart sshd

You have configured user01 and user02, and you can login and upload the files.
Let’s start with our third account named “accounts,” This account should have FULL access to the user01/user02 files.

Configure your third user accounts

useradd  -d /data/accounts -s /sbin/nologin accounts ; mkdir -p  /data/account/

make accounts member of group sftpusers

usermod -aG sftpusers accounts

Make sure you give good permissions to the home directories of user01/user02

chown user02:sftpusers /data/accounts/user01/internal ; chmod -R 775 /data/user02/internal

change the /etc/ssh/sshd_config to add the user accounts

# BEGIN SFTP-Server "accounts" block

Match user accounts
ChrootDirectory  /data/accounts
AllowTcpForwarding no
ForceCommand internal-sftp
X11Forwarding no
#END SFTP-Server accounts block

Restart the SSHD service.

systemctl restart sshd

TESTING & Diagnostic Steps

you can test your login by doing: sftp user05@localhost
Check /var/log/secure for any errors with permissions and sftp.

sftp and/or scp may fail at connection time if you have shell initialization (.profile, .bashrc, .cshrc, etc) which produces output for non-interactive sessions. This output confuses the sftp/scp client. You can verify if your shell is doing this by executing this

ssh <yourhost> /usr/bin/true

Scenario # 2 one folder is shared by multiple chroot jailed accounts

UsersHome directories
User03/dpt/files
User04/dpt/files

As shown above, both chroot jailed users have shared folders, so we will create the users and configure them.

mkdir -p /dpt/files
useradd  -d /dpt/files -s /sbin/nologin user03
useradd  -d /dpt/files -s /sbin/nologin user04

create group grp-shared and add your accounts into the newly created group.

groupadd grp-shared
usermod -aG grp-shared user03 ; usermod -aG grp-shared user04

To check that your users have the desired group.

groups user03

Make sure you give good permissions to the home directories of user01/user02

chgrp  grp-shared /dpt/files/internal ; chmod -R 775 /dpt/files/internal

change the /etc/ssh/sshd_config to add your group grp-shared in the sshd configuration

#BEGIN SFTP-Server grp-shared block

Match Group grp-shared
ChrootDirectory  /dpt/files
AllowTcpForwarding no
ForceCommand internal-sftp
X11Forwarding no
PermitTunnel no
PasswordAuthentication yes
#END SFTP-Server grp-shared block

Restart the SSHD service.

systemctl restart sshd

Scenario # 3 single folder is shared by multiple chroot jailed accounts, but one user has read-only access to that shared folder

UsersHome directories
user03/dpt/files
user04/dpt/files
user05/dpt/files ( READ-ONLY ACCESS)

Here I will show you the configurations for the third user, which has only READ-ONLY access because shared folder scenario I have discussed above. 

useradd   -s /sbin/nologin user05
passwd user05

You can have the default home directory to the users as /home/user05, but in the sshd_config file, you can chroot directory to the /dpt/files.

Match User user05
ChrootDirectory /dpt/files
AllowTcpForwarding no
ForceCommand internal-sftp
X11Forwarding no
PermitTunnel no
PasswordAuthentication yes

Restart the SSHD service.

systemctl restart sshd

Disclaimer: All information posted is merely for educational and informational purposes. Should you decide to act upon any information on this article, you do so at your own risk.

Leave a Reply

Your email address will not be published. Required fields are marked *