Changing write permissions for jailed SFTP denies login

Question

I have scouted over many websites and forums on how to setup an SFTP user that is jailed to a certain directory using CHROOT. Here are the steps I have followed but I can't seem to get write permissions to work.

Setup

sshd_config

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp


Match group webmaster
        X11Forwarding no
        ChrootDirectory %h
        AllowTcpForwarding no
        ForceCommand internal-sftp

Create Folder

mkdir /var/www/sites

Create User and Group

useradd uploader
passwd uploader
usermod -d /var/www/sites uploader
groupadd webmaster uploader
groupadd www-data uploader

Permissions and Ownership

chown root:root /var/www
chmod 755 /var/www/sites

Now with these settings the user uploader is able to SFTP into the home directory but is unable to write to the directory.

There are 2 typical errors that occur, I either can't login or I don't have write permissions.

Login Error

Error:    Network error: Software caused connection abort
Error:    Could not connect to server


Changing permissions of /var/www/sites to 775 or 777 causes login error.
chown /var/www/sites to uploader:root causes login error.
chwon root:webmaster or root:www-data I have no write permissions

I am at odds end trying to figure this out and if anyone could point me into the right direction I would be greatly appreciate it.

Thank you.

score 19 · Answer 1 · edited Jul 31 '18 at 08:25

Found out the solution. The user is jailed to /var/www/sites. I then created another folder /var/www/sites/site1.

I use:

chown root:webmaster /var/www/sites/site1 
chmod 775 /var/www/sites/site1

This enabled the home directory to have the correct permissions to login and then be able to write to the next folder up.

If the user needs write access to /var/www/sites, then you must jail the user at /var/www which has root:root ownership and permissions of 755. You then need to give /var/www/sites ownership of root:(your group) and permissions of 775.

fabreg · Answer 2 · 2013-07-13T10:07:53.153

Maybe the greatest solution is:

mkdir /var/www/sites/myfirstuser/hisownsite
mkdir /var/www/sites/myseconduser/hisownsite

...

chown root:root /var/www/sites /var/www/sites/{myfirstuser,myseconduser} && chmod 755 /var/www/sites/{myfirstuser,myseconduser}

chmod 775 /var/www/sites/myfirstuser/hisownsite
chmod 775 /var/www/sites/myseconduser/hisownsite
chgrp www-data /www/sites/myfirstuser/hisownsite /var/www/sites/myseconduser/hisownsite

Add the users:

useradd -d /var/www/sites/myfirstuser -s /bin/false -g www-data  dev1
useradd -d /var/www/sites/myseconduser -s /bin/false -g www-data dev2
passwd dev1
passwd dev2

Then, for each user you have created, add an ssh tag like this: (you could also use the "Match Group" directive as in your example instead of "Match User")

Match User dev1
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTcpForwarding no

Match user dev2
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTcpForwarding no

So you can manage all users you need in a chrooted environment.

Hth, Fabrizio

Changing write permissions for jailed SFTP denies login

2 Answers2