SELinux and chrooted sftp

Posted on August 16, 2012 | 8 Comments

Set up of sftp-only access to a server for a subset of users on a Scientific Linux 6 install with SELinux enforcing:

Create sftponly group and added users with sftp-server as their shell:

addgroup sftponly
useradd -d /home/$USERNAME -s /usr/lib/sftp-server -M -N -g sftponly $USERNAME
mkdir -p /home/$USERNAME/uploads /home/$USERNAME/.ssh
chown $USERNAME:sftponly /home/$USERNAME/uploads /home/$USERNAME/.ssh
chown root /home/$USERNAME
chmod 755 /home/$USERNAME
chmod 700 /home/$USERNAME/.ssh
passwd $USERNAME
echo '/usr/lib/sftp-server' >> /etc/shells

They will chroot into their home directory, so this needs to be owned by root and not writable by any other user, including $USERNAME. As the user won’t have write access to their own home directory, you need to manually create a .ssh directory for them and a subdirectory to which they do have write access, for their files.

Changed /etc/ssh/sshd_config to chroot to the home directory of sftp-only users

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

Match group sftponly
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Make sure selinux allows write access to chroot’ed home directories:


setsebool -P ssh_chroot_rw_homedirs on

I also needed to do a restorecon on the home directory to get selinux to allow sftp users to write to their uploads directory:

restorecon -R /home/$USERNAME

Seems to be working okay now.

This entry was posted in Uncategorized and tagged , , , , . Bookmark the permalink.

8 responses to “SELinux and chrooted sftp

  1. Pingback: CentOS 6.3 sftp chroot jail - Page 2

  2. Angelo Pérez | January 19, 2013 at 5:18 pm | Reply

    Thanks!!

  3. blikey | March 20, 2013 at 11:42 pm | Reply

    Hello, this helped me but:
    when adding my user I had to specify the shell as /usr/libexec/openssh/sftp-server
    and the addition of that shell (in your doc /usr/lib/sftp-server) to /etc/shells didn’t appear to mean anything.

  4. thadmailistthad | August 22, 2013 at 3:55 pm | Reply

    use sbin/nologin for shell instead of /usr/libexec/openssh/sftp-server

  5. thadmailistthad | August 23, 2013 at 6:22 pm | Reply

    Yes. The fact that its chroot users are privileged only to put/get files or create folder on their directory and not wonder around to execute shell commands.

  6. Ali | March 4, 2014 at 10:59 pm | Reply

    You also need to type this if you don’t want to completely disable SELinux:
    # setsebool -P ssh_chroot_full_access on

  7. Emiliano | March 11, 2014 at 1:55 pm | Reply

    Hi,
    I have tryed your guide but the result after this implementation is that I haven’t permission to write in my folder. You have any suggestion ?

    thank you so much!

  8. James Wilmington | January 3, 2019 at 1:49 pm | Reply

    oh my heavens! Yes… this is the solution. I’ve been scratching my head about why an SFTP cannot write to their CHROOT home directory for days!

Leave a reply to Ali Cancel reply