Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

Chroot for SFTP?

Status
Not open for further replies.
Joined
Jun 10, 2011
Messages
1
I require my users to be confined to their home directory (using chroot and the scponly shell) for SFTP. This works for me with regular FTP but not for SFTP which is how my users will connect. Is there any way to make this work in FreeNAS (8.2-RELEASE-p1)?

I don't want the users to be able to go "up" and out of their home directory into / and be able to access /etc, /var, or what have you, for obvious reasons.

Thanks

edit: I tried just adding '/usr/local/bin/scponlyc' to /etc/shells and changing a user's shell to that but FileZilla client didn't allow me to connect.
 

jallenjens

Newbie
Joined
Jun 25, 2012
Messages
10
I have the same need. Please, is there anyone who can help tell us how to limit a SFTP connection to the user's home directory?
 

ben

FreeNAS GUI Developer
Joined
May 24, 2011
Messages
373
There is no FreeNAS 8.2 RELEASE p1. What's your actual FreeNAS version, make sure it's not the "base OS version"? I'll see what I can do to help.
 

jallenjens

Newbie
Joined
Jun 25, 2012
Messages
10
I'm using FreeNAS-8.0.4-RELEASE-p2-x64 (11367). I've disabled root and anon access to FTP, and enabled Local User Login & Always Chroot.
 

ben

FreeNAS GUI Developer
Joined
May 24, 2011
Messages
373
So expected result is chroot'd users accessing with SFTP, actual result is they are able to escape their home directories and traverse the entire filesystem? (Just to make sure we're on the same page.) Are you the person who was having a conversation with @FreeNASTeam on twitter earlier?
 

ben

FreeNAS GUI Developer
Joined
May 24, 2011
Messages
373
Okay, I'm gonna set up a VM and set it up and see if it works for me. It will be a while, since I'm at work right now.
 

ben

FreeNAS GUI Developer
Joined
May 24, 2011
Messages
373
I went through the same process you described, including the scponly shell, and experienced the same lack of a chroot. Will report if I manage to get it working with proper chroot.
 

jallenjens

Newbie
Joined
Jun 25, 2012
Messages
10
Thanks, Ben. That kind of makes feel better. I'm still hoping that there is a setting somewhere that I have set incorrectly. If not, what is the process for submitting bugs/feature requests to the FreeNAS team?
 

ben

FreeNAS GUI Developer
Joined
May 24, 2011
Messages
373
You would create a ticket support.freenas.org. I see a ticket about this that considers it resolved, let me see what's up with that.
 

ben

FreeNAS GUI Developer
Joined
May 24, 2011
Messages
373
It appears that SFTP is deceptive - what appears to be the FreeNAS root filesystem may not actually be so. See if you can make significant changes to the root filesystem that show up in sftp and vice-versa (remember that to change the root file system you have to 'umount /' and 'mount -uw /', I suggest something obvious like 'touch' or 'mkdir' that won't do any damage).

tl;dr: it might be working but appear not to be.
 

James

Team iX
Joined
May 24, 2011
Messages
300
I don't believe scponly is compiled with chroot (it is off by default). I'll confirm if this is the case, and if so, request that it be compiled into the build. Once it supports chroot, instructions for using scponly chroot can be added to the docs.
 

James

Team iX
Joined
May 24, 2011
Messages
300
scponly chroot is not compiled in by default. If you require scponly chroot support, please create a support ticket.
 
Status
Not open for further replies.
Top