Friday, November 1, 2019

server - Trying to setup a SFTP user with limited access

I was hoping someone could help me with this problem



"Trying to setup a SFTP user with limited access."



I'm running Ubuntu 16.04.2 x64 on a DigitalOcean server. I've posted this on the DigitalOcean forums too.



Current setup





  • I've setup my server using ServerPilot.

  • The system user is called serverpilot

  • serverpilot has root privileges,

  • The home folder is located at: /srv/users/serverpilot

  • The public folder is located at: /srv/users/serverpilot/apps/test-app/public/



What I want to do



I want to add a second user, but restrict what the user can do:





  • Only access a single folder called newsletters, it will be in the public folder.

  • The user needs to be able to upload, delete and rename files via SFTP

  • The user must not be able to navigate away from the newsletters, folder



This is the full path to the newsletters folder:
/srv/users/serverpilot/apps/test-app/public/newsletters




What I've done so far



I've followed this guide How do I restrict a user to a specific directory? by Maxamilian Demian (@Maxoplata), there's a great reply by Jonathan Tittle (@jtittle).



However, I'm still having problems logging in via SFTP



I've listed out all the steps I've done - hopefully someone with more experience will be able to spot my error(s)!



1. Created a new user





  1. Logged in as root

  2. Created a new user called user-sftp-only

  3. adduser user-sftp-only

  4. I can check the user has been created by running

  5. compgen -u

  6. user-sftp-only is at the bottom of the list

  7. I can also see what the path of the user is and shell access by running:

  8. grep user-sftp-only /etc/passwd outputs:




    user-sftp-only:x:1004:1007:,,,:/home/user-sftp-only:/bin/bash



2. Give new user root privileges




  1. Give new user user-sftp-only root privileges

  2. gpasswd -a user-sftp-only sudo

  3. Logout as root




3. Create a new directory




  1. Logged in as user-sftp-only

  2. Create a new directory in public called newsletters:

  3. cd /srv/users/serverpilot/apps/test-app/public/

  4. Followed by:

  5. sudo mkdir newsletters




4. Check directory permissions



Still inside the public folder from the previous step, I run 



$ ls -al
drwxr-xr-x+ 3 serverpilot serverpilot 4096 Mar  7 15:26 .
drwxr-xr-x+ 3 serverpilot serverpilot 4096 Mar  3 16:22 ..
-rw-r--r--+ 1 serverpilot serverpilot 3393 Mar  3 16:22 index.php

drwxrwxr-x+ 2 root        root        4096 Mar  7 15:26 newsletters


From reading various DigitalOcean posts, I know I need to create a group and assign my new user user-sftp-only to that group, Then change root root to the name of my user and group.



5. Create a new group




  1. Logged in as user-sftp-only

  2. sudo groupadd group-sftp-only


  3. I can check the group has been created by running

  4. compgen -g

  5. group-sftp-only is at the bottom of the list



Note: I notice my new user called user-sftp-only is also in this list?



6. Add user to the group





  1. Logged in as root

  2. Added the user user-sftp-only to a group called group-sftp-only

  3. Doing this means it's no longer possible to SSH in as user user-sftp-only



    usermod -g group-sftp-only -d /srv/users/serverpilot/apps/test-app/public/newsletters -s /sbin/nologin user-sftp-only



    • -gspecifies the group name

    • -d specifies the users home directory


    • -s specifies shell access (/sbin/nologin means SSH is disabled for this user)




7. Verify the changes to the user



Logged in as root



$ grep user-sftp-only /etc/passwd
user-sftp-only:x:1001:1004:,,,:/srv/users/serverpilot/apps/test-app/public/newsletters:/sbin/nologin



8. Modify SSH Configuration to allow SFTP




  1. Logged in as root

  2. nano /etc/ssh/sshd_config

  3. Commented out this line:

  4. #Subsystem sftp /usr/lib/openssh/sftp-server -l INFO

  5. At the very bottom of sshd_config added this:




     Subsystem sftp internal-sftp
        Match group group-sftp-only
        ChrootDirectory %h
        ForceCommand internal-sftp



9. Restart SSH





  1. Still logged in as root

  2. service ssh restart



10. Modify permissions




  1. Still logged in as root

  2. This is the home directory for user user-sftp-only


  3. /srv/users/serverpilot/apps/test-app/public/newsletters

  4. Used this to make sure the home directory is owned by the user and group



    chown -R user-sftp-only:group-sftp-only /srv/users/serverpilot/apps/test-app/public/newsletters



11. Verify ownership change



Still logged in as root:




$ cd /srv/users/serverpilot/apps/test-app/public/`
$ ls -al
drwxr-xr-x+ 3 serverpilot    serverpilot     4096 Mar  7 15:26 .
drwxr-xr-x+ 3 serverpilot    serverpilot     4096 Mar  3 16:22 ..
-rw-r--r--+ 1 serverpilot    serverpilot     3393 Mar  3 16:22 index.php
drwxrwxr-x+ 2 user-sftp-only group-sftp-only 4096 Mar  7 15:26 newsletters

$ cd /srv/users/serverpilot/apps/test-app/public/newsletters
$ ls -al

drwxrwxr-x+ 2 user-sftp-only group-sftp-only 4096 Mar  7 15:26 .
drwxr-xr-x+ 3 serverpilot    serverpilot     4096 Mar  7 15:26 ..




That's where I'm up to. However, I can't login in as my new user user-sftp-only via SFTP

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

11.10 - Can't boot from USB after installing Ubuntu

I bought a Samsung series 5 notebook and a very strange thing happened: I installed Ubuntu 11.10 from a usb pen drive but when I restarted (...