So here you are finding that you need to grant someone else SFTP access to your server. There are lots of reasons to do this, in my case it’s because I needed to grant access to someone’s web designer. We initially worked it out by him emailing me files and me SFTP’ing them up to the server in the correct location. Now he needs direct access to fix some things and I want to give him only what he needs without compromising security. Enter the chroot jail. After lots of googling and some encouragement from the Mac OS X Server email list, I’ve got it working. Here’s how it works.
First, you should create the new user in Workgroup Admin and either assign them access privileges for SSH via Server Admin or assign them to a group that has SSH access privileges. Further discussion is below.
From the Terminal, start off right.
<br /> sudo cp /etc/sshd\_config /etc/sshd_config.bkup<br /> sudo chown root /<br /> sudo chmod 755 /<br /> sudo mkdir -p /chroot/user/scratchpad<br /> sudo chown -R root /chroot<br /> sudo chown user /chroot/user/scratchpad<br /> sudo chmod -R 755 /chroot<br />
Every additional new user added will then be something along the lines of the following.
<br /> sudo mkdir -p /chroot/user2/scratchpad<br /> sudo chown root /chroot/user2<br /> sudo chown user2 /chroot/user2/scratchpad<br /> sudo chmod -R 755 /chroot/user2<br />
Every folder in the path to the chroot jail must be owned by
root. I don’t think it matters what group the folder is in. What I did above was to
- change ownership of the root directory to
- change permissions of the root directory to 755
- create a chroot folder
- create a user folder inside the chroot folder
- create a folder inside the user folder that user can modify
- set ownership and permissions
Now to edit
/etc/sshd_config to the following.
<br /> #Subsystem sftp /usr/libexec/sftp-server<br /> Subsystem sftp internal-sftp<br /> Match User user<br /> X11Forwarding no<br /> AllowTcpForwarding no<br /> ForceCommand internal-sftp<br /> ChrootDirectory /chroot/user<br />
This creates a chroot jail. When the user logs in will drop them into the folder
/chroot/user, in that folder is a folder they can add things to
If you want to create a Group in Workgroup Admin for ‘Chroot Users’ then add the new users that you created in Workgroup Admin to the Group; you won’t have to keep editing the
/etc/sshd_configfile. Instead of the above, add the following. Make sure you add the ‘Chroot Users’ group to the SSH access ACL in Server Admin.
<br /> #Subsystem sftp /usr/libexec/sftp-server<br /> Subsystem sftp internal-sftp<br /> Match Group chrootusers<br /> X11Forwarding no<br /> AllowTcpForwarding no<br /> ForceCommand internal-sftp<br /> ChrootDirectory /chroot/%u<br />
If you have more than one chroot group just repeat the
Match Groupsetup again.
To test whether the above is working, issue the following from the terminal.
<br /> $ sftp firstname.lastname@example.org<br /> Password:<br /> sftp><br />
Getting in is one thing. Now you have to mount the folder you want to use. Unfortunately you can’t use a symlink inside of a chroot jail. This is where Homebrew is your best friend. I don’t know why I’ve never seen fit to install this before. After installation just issue the following commands.
<br /> brew install bindfs<br />
You might have to restart. Now with an empty folder created in
mount --bindto a folder outside of the chroot jail. For example
<br /> sudo /usr/local/bin/bindfs -u user /Library/Server/Web/Sites/Server/Documents/mysite/yourfolder /chroot/user/scratchpad<br />
So far this seems to work here.
Update for Mountain Lion Server
As I’ve updated my server from Snow Leopard to Mountain Lion, there’s one extra step.
From Workgroup Manager, you will need to create a home folder. Nothing really has to go into it, but it needs to be present. My settings are as follows.
Mac OS X Server/Share Point URL:afp://myserver.example.com/Users
Path to Home Folderusername
After setting this up the first time it seems to auto-populate for every other user. You’ll have to go to the Home tab, select it and Save.