SELinux and chrooted sftp

Set up of sftp-only access to a server for a subset of users on a Scientific Linux 6 install with SELinux enforcing:

Create sftponly group and added users with sftp-server as their shell:

addgroup sftponly
useradd -d /home/$USERNAME -s /usr/lib/sftp-server -M -N -g sftponly $USERNAME
mkdir -p /home/$USERNAME/uploads /home/$USERNAME/.ssh
chown $USERNAME:sftponly /home/$USERNAME/uploads /home/$USERNAME/.ssh
chown root /home/$USERNAME
chmod 755 /home/$USERNAME
chmod 700 /home/$USERNAME/.ssh
passwd $USERNAME
echo '/usr/lib/sftp-server' >> /etc/shells

They will chroot into their home directory, so this needs to be owned by root and not writable by any other user, including $USERNAME. As the user won’t have write access to their own home directory, you need to manually create a .ssh directory for them and a subdirectory to which they do have write access, for their files.

Changed /etc/ssh/sshd_config to chroot to the home directory of sftp-only users

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

Match group sftponly
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Make sure selinux allows write access to chroot’ed home directories:

setsebool -P ssh_chroot_rw_homedirs on

I also needed to do a restorecon on the home directory to get selinux to allow sftp users to write to their uploads directory:

restorecon -R /home/$USERNAME

Seems to be working okay now.

8 responses to “SELinux and chrooted sftp

  1. Pingback: CentOS 6.3 sftp chroot jail - Page 2

  2. Thanks!!

  3. Hello, this helped me but:
    when adding my user I had to specify the shell as /usr/libexec/openssh/sftp-server
    and the addition of that shell (in your doc /usr/lib/sftp-server) to /etc/shells didn’t appear to mean anything.

  4. use sbin/nologin for shell instead of /usr/libexec/openssh/sftp-server

  5. Yes. The fact that its chroot users are privileged only to put/get files or create folder on their directory and not wonder around to execute shell commands.

  6. You also need to type this if you don’t want to completely disable SELinux:
    # setsebool -P ssh_chroot_full_access on

  7. Hi,
    I have tryed your guide but the result after this implementation is that I haven’t permission to write in my folder. You have any suggestion ?

    thank you so much!

  8. oh my heavens! Yes… this is the solution. I’ve been scratching my head about why an SFTP cannot write to their CHROOT home directory for days!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s