In Linux, chroot stands for change root. It is a process of creating a jailed environment for a calling process (e.g., SFTP) to isolate it from the rest of the system.
SFTP (Secure Shell File Transfer Protocol) is a means of transferring files securely from a client to a server over a network.
Sometimes, you may want to grant SFTP access to allow users to upload files on your Linux server. However, this could pose a security risk to the entire file system.
To mitigate this risk, chroot is used. It changes the root directory of the user during an SFTP session, ensuring isolation from the main system.
Chrooted users cannot break the jail but can still run standard SFTP commands to manage their directories and files.
This is a step-by-step guide for creating an SFTP chroot environment on an Ubuntu 16.04 instance that locks users to their home directory while restricting shell access for security purposes.
Prerequisites
- A Linux server running Ubuntu 16.04.
- A non-root user with sudo privileges
Step 1: Creating an SFTP Group
To manage chrooted users, create a group using the groupadd command:
sudo groupadd sftpusersReplace sftpusers with your preferred group name.
Step 2: Setting Up OpenSSH
SFTP operates over SSH and inherits its security features, including data encryption that prevents password sniffing and man-in-the-middle attacks.
OpenSSH reads configuration settings from /etc/ssh/sshd_config. Modify this file using a text editor such as nano:
sudo nano /etc/ssh/sshd_configLocate the line:
#Subsystem sftp /usr/lib/openssh/sftp-serverAnd change it to:
Subsystem sftp internal-sftpAdd the following lines at the end of the file:
Match Group sftpusers
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftpEnsure to replace sftpusers with the group name you created.
Explanation of Configuration:
Subsystem sftp internal-sftp: Configures the in-process SFTP server, simplifying chroot configurations.Match Group sftpusers: Applies the settings to users in thesftpusersgroup.ChrootDirectory %h: Restricts users to their home directory.X11Forwarding no: Disables X11 forwarding to limit access to graphical applications.AllowTcpForwarding no: Disables TCP forwarding to enhance security.ForceCommand internal-sftp: Ensures only the SFTP process runs upon login.
Restart the SSH daemon after making changes:
sudo service ssh restartStep 3: Configuring User Accounts
Create and configure user accounts. For example, to create a user named jacob:
sudo adduser jacobFollow the prompts to set the user password and details. By default, this command creates a home directory /home/jacob. Add the user to the sftpusers group:
sudo usermod -G sftpusers jacobChange the ownership of the user’s home directory to root:
sudo chown root:root /home/jacobSet the appropriate permissions:
sudo chmod 755 /home/jacobCreate subdirectories within the user’s home and assign ownership:
sudo mkdir /home/jacob/outbound
sudo chown jacob:jacob /home/jacob/outbound
sudo mkdir /home/jacob/inbound
sudo chown jacob:jacob /home/jacob/inbound
sudo chmod 700 /home/jacob/inboundchmod 700 only allows jacob user to read and write and will not allow any other user to read.
Step 4: Testing the Configuration
Connect to your server using SFTP with the newly created user:
sftp jacob@<your-vps-ip>Verify the connection by running the pwd command:
sftp> pwd
Remote working directory: /Step 5: Confirming Shell Access Restriction
Attempt to connect via SSH with the restricted user credentials. If the setup is correct, shell access should be denied.
Congratulations! You have successfully created a chroot environment with SFTP access for your users.
