problems about sftp

[Mozzie]

Hi, I'm a newer

I follow the FreeNAS 9.2.1 guide to create sftp and have some problems.

Here are my steps:
1.Create a zfs dataset for user mozzie

2.Create a group named sftp

3.Create the user named mozzie and add he to sftp group

4. Set permissions for user mozzie in dataset mozzie

5. Create a home directory for user mozzie with folder name moz, and set permissions this folder

6. Configure SSH in Services, add the extra options

7. Start the SSH service

8. Test the connection with client 'Core ftp'

9. We succeed

10.But I can not create new directory, why?

11. Only create new directory or upload file in sub-folder

My question is that why only can upload files to the sub directory of home directory instead of home directory? Any advice would be appreciated. Thanks in advance.

 

[Mozzie]

Follow is 11.picture

 

[SweetAndLow]

Your user didn't have permissions on the mozzie dataset. Make that user the owner of the dataset. Also why did you make the group? You didn't do anything with it?

 

[Mozzie]

Your user didn't have permissions on the mozzie dataset. Make that user the owner of the dataset. Also why did you make the group? You didn't do anything with it?

Thanks for your reply. I want user mozzie only access his folder when he login with sftp client. So I create a sftp group, and add user mozzie in this group.If the user mozzie is not in the group sftp, he is able to navigate outside of his home directory.

 

[SweetAndLow]

Adding the user to the FTP group doesn't prevent him from seeing other directories. Think about it as giving them the ability to see things that are in the same group. So you also need to make the mozzie dataset owned by mozzie and have a group of FTP. This way mozzie can have owner permissions and FTP group can have group permissions.

 

[Mozzie]

Adding the user to the FTP group doesn't prevent him from seeing other directories. Think about it as giving them the ability to see things that are in the same group. So you also need to make the mozzie dataset owned by mozzie and have a group of FTP. This way mozzie can have owner permissions and FTP group can have group permissions.

Thanks for the reply.

In the step #3 of my first post, I created the owner group of mozzie when created the user mozzie, please see the selected check-box "Create a new primary group for the user". So I think the user mozzie has 2 groups as you mentioned -- one is SFTP group and the other is group mozzie.

I checked the guide again and found there must be a directory in <home> directory, which is writable for user mozzie and could be used to write and upload data. This is not so convenient and looks wired. If user can write or upload files in <home> directory instead of its sub-directory, it may be perfect.

Here is the official guide in page 211( http://web.freenas.org/images/resources/freenas9.2.1/freenas9.2.1_guide.pdf):
5. Create a home directory within each dataset using Shell. Due to the permissions required by SSH chroot, the user will not have permissions to write to the root of their own dataset until you do this. Since your intention is to limit them to the contents of their home directory, manually create a home directory for each user within their own dataset and change the ownership of the directory to the user. Example 8.12a demonstrates the commands used to create a home directory called user1 for the user account user1 on dataset /mnt/volume1/user1:

 

[anodos]

Adding the user to the FTP group doesn't prevent him from seeing other directories. Think about it as giving them the ability to see things that are in the same group. So you also need to make the mozzie dataset owned by mozzie and have a group of FTP. This way mozzie can have owner permissions and FTP group can have group permissions.

See auxiliary parameters for sshd. SFTP members are chrooted to their home directory.

Personally, I create two groups, sftp_user and sftp_admin.

I then set chroot for sftp_user to the dataset I want to share, say /mnt/tank/sftp, and then create user home directories there with owner <user>:sftp_admin. User and group have write privileges. This allows me to designate some users to admin the entire sftp share, but regular users cannot access data of other users.