unix - SFTP server, limited user access - unix

The usuall question that still is challanging to implement: having one directory shared through sftp (read-only). Following this wiki: http://en.wikibooks.org/wiki/OpenSSH/Cookbook/SFTP
The changes I made on ssh_config are:
PasswordAuthentication yes
Match Group sftp-users
ChrootDirectory /home
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
Then creating a user in the group:
useradd -M -G sftp-users username-sftp
passwd username-sftp
Restarting ssh to take settings:
restart ssh
Then connecting to this host from another PC provides the ftp prompt:
sftp username-sftp#hostname
But when executing the ls command, I see all directories in the root of the sftp server.
sftp> ls
bin boot cdrom dev etc home initrd.img initrd.img.old lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var vmlinuz
How can I limit the access of sftp-users to only one directory?

I was actually editing the wrong config file. The one that contains the settings is "sshd_config" and not "ssh_config".

Related

chroot SFTP- works only on user directory but not on other directories

on Ubuntu 20.04
I have a WordPress site on directory /var/www/site.com/public_html/
I created a staging site inside the mail directory /var/www/site.com/public_html/stagesite
I am trying to five access only to the stagesite folder to be accessed by developer to be able to edit and update files inside.
Steps taken
created user "developer" and group "restricted" and developer user is a restricted group user
updated the folder owner and permissions sudo chown -R root:root stagesite/ && sudo chmod -R 775 /stagesite
added to the end of sshd_config file /etc/ssh/sshd_config
Match Group restricted
# Force the connection to use SFTP and chroot to the required directory.
ForceCommand internal-sftp
ChrootDirectory /var/www/mainsite.com/public_html/stagesite
# Disable tunneling, authentication agent, TCP and X11 forwarding.
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
NOW tried to connect with Filezilla, it will not connect using SFTP
I tried adding sub-directory to the ChrootDirectory to be like below but still didn't connect
/var/www/mainsite.com/public_html/stagesite/wp-content
I was only able to connect when setting ChrootDirectory to the user home directory
/home/developer
It is required that all directories from the home of the chrooted user to the root must be owned by root:root and must not be group or world writable. This is probably not the case for fileadmin home directory.

Not able to mount directory after updating fstab

On a Windows file share I created a folder and shared it with a service account.
I have added a mount point entry to fstab like this:
//server/folder /mnt/folder cifs credentials=/root/creds/creds,noperm
Where the creds file contains credentials for above mentioned service account.
Then run mount -a to activate the mount point.
It gives an error like:
mount error(2): No such file or directory
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
Couldn't chdir to /mnt/folder: No such file or directory
I have tried mounting the directory manually and receive the same error.
What the heck am I missing?
Ah. I had not created folder in /mnt/folder on the UNIX side. Did mkdir /mnt/folder.
I was then able to see folder in /mnt but it was empty.
Did a mount -a and can now see the contents of the Windows share in /mnt/folder
I seems like I had to do mount -a from /etc as when I issued the command from /mnt it just hung for a while until I killed it and then tried from /etc

"mount --bind" disappear directory for user

I have a server setup with multiple sites running with nginx
/var/www/site1.com
/var/www/site2.com
I want to create chroot users so I created a group and user
addgroup sftpgroup
adduser sftpuser1 -G stfpgroup
in my sshd_config I updated with:
Subsystem sftp internal-sftp
Match Group sftpgroup
ChrootDirectory /home
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
I am able to connect sftpuser1 via sftp and see the home directory, Now I want user to have access on site's folder at
/var/www/site1.com
so I connect sftpuser1 via sftp and created a folder /home/sftpuser1/sit1.com, Than with root login I created mount:
mount --bind /var/www/sit1.com /home/sftpuser1/sit1.com
Now when I login with sftp of stfpuser1 the folder '/home/sftpuser1/sit1.com' has disappeared
But when I login with root I can see the folder in user's directory and its displaying site1.com's content.
I checked the folder permission were changed to root:root, I chown to sftpuser1:sftpuser1 but still folder doesn't appear.
When I umount folder, its visibile to stfpuser1 again.
If the owner of /var/www/ is root and others don't have permission to read from it, then all the directories inside won't be visible to them.
I was able to do so, Here are the steps it took, in sshd_config:
Subsystem sftp internal-sftp
Match Group sftpgroup
ChrootDirectory %h
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
than I created user with:
useradd -g sftpgroup -d /var/www/site1.com site1user
At this point I make sure that /var/www/site1.com is owned by root
chown root:root /var/www/site1.com
than I created another directory where user will be able to write
mkdir /var/www/site1.com/http_docs
than I changed the permission to user:
chown site1user:sftpgroup /var/www/site1.com/http_docs
than I set the user password:
passwd site1user
and all seems to working as it should.

Syncing local and remote directories using rsync+ssh+public key as a user different to the ssh key owner

The goal is to sync local and remote folders over ssh.
My current user is user1, and I have a password-less access setup over ssh to a server server1.
I want to sync local folder with a folder on server1 by means of rsync utility.
Normally I would run:
rsync -rtvz /path/to/local/folder server1:/path/to/remote/folder
ssh access works as expected, rsync is able to connect over ssh, but it returns "Permission denied" error because on server1 the folder /path/to/remote/folder is owned by user2:user2. File permissions of the folder do not allow it to be altered by anyone else.
user1 is a sudoer on server1 so sudo su - user2 works during ssh session.
How to forse rsync to switch the user when it ssh'ed to the server?
Adding user1 to the group user2 is not an option because all user/group management on the server is done automatically and replicated from a central repo every X mins, that I have not access to.
Same for changing permissions/ownership of the destination folder: it is updated automatically on a regular basis with a reset of all permissions.
Possible solution coming to my mind is a script that syncs the local folder with a temporary intermediate remote folder owned by user1 on the server, and then syncs two remotes folders as user2.
Googling for a shorter and prettier solution did not yield any success.
I have not tried it by myself, but how about using rsync's '--rsync-path' option?
rsync -rtvz --rsync-path='sudo -u user2 rsync' /path/to/local/folder server1:/path/to/remote/folder
To fix the permissions problem you need to run rsync over an an SSH session that logs in remotely as user2:
rsync avz -e 'ssh -i privatekeyfile' /path/to/local/folder/ user2#server1:/path/to/local/folder
The following answer explains how to setup the SSH keys.
Ant, download fileset from remote machine
Set up password-less access for user1 to access user2#server1, then do:
rsync -rtvz /path/to/local/folder user2#server1:/path/to/remote/folder

How to change the owner for a rsync

I understand preserving the permissions for rsync.
However in my case my local computer does not have the user the files need to under for the webserver. So when I rsync I need the owner and group to be apache on the webserver, but be my username on my local computer. Any suggestions?
I wanted to clarify to explain exactly what I need done.
My personal computer: named 'home' with the user account 'michael'
My web server: named 'server' with the user account 'remote' and user account 'apache'
Current situation: My website is on 'home' with the owner 'michael' and on 'server' with the owner 'apache'. 'home' needs to be using the user 'michael' and 'server' needs to be using the user 'apache'
Task: rsync my website on 'home' to 'server' but have all the files owner by 'apache' and the group 'apache'
Problem: rsync will preseve the permissions, owner, and group; however, I need all the files to be owner by apache. I know the not preserving the owner will put the owner of the user on 'server' but since that user is 'remote' then it uses that instead of 'apache'. I can not rsync with the user 'apache' (which would be nice), but a security risk I'm not willing to open up.
My only idea on how to solve: after each rsync manually chown -R and chgrp -R, but it's a huge system and this takes a long time, especially since this is going to production.
Does anyone know how to do this?
Current command I use to rsync:
rsync --progress -rltpDzC --force --delete -e "ssh -p22" ./ remote#server.com:/website
If you have access to rsync v.3.1.0 or later, use the --chown option:
rsync -og --chown=apache:apache [src] [dst]
More info in an answer from a similar question here: ServerFault: Rsync command issues, owner and group permissions doesn´t change
There are hacks you could put together on the receiving machine to get the ownership right -- run 'chmod -R apache /website' out of cron would be an effective but pretty kludgey option -- but instead, I'd recommend securely allowing rsync-over-ssh-as-apache.
You'd create a dedicated ssh keypair for this:
ssh-keygen -f ~/.ssh/apache-rsync
and then take ~/.ssh/apache-rsync.pub over to the webserver, where you'd put it into ~apache/.ssh/authorized_keys and carefully specify the allowed command, something like so, all on one line:
command="rsync --server -vlogDtprCz --delete . /website",from="IP.ADDR.OF.SENDER",no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa AAABKEYPUBTEXTsVX9NjIK59wJ+fjDgTQtGwhATsfidQbO6u77dbAjTUmWCZjKAQ/fEFWZGSlqcO2yXXXXXXXXXXVd9DSS1tjE6vAQaRdnMXBggtn4M9rnePD2qlR5QOAUUwhyFPhm6U4VFhRoa3wLvoqCVtCV0cuirB6I45On96OPijOwvAuz3KIE3+W9offomzHsljUMXXXXXXXXXXMoYLywMG/GPrZ8supIDYk57waTQWymUyRohoQqFGMzuDNbq+U0JSRlvLFoVUZ5Piz+gKJwwiFwwAW2iNag/c4Mrb/BVDQAyEQ== comment#email.address
and then your rsync command on your "home" machine would be something like
rsync -av --delete -e 'ssh -i ~/.ssh/apache-rsync apache#server' ./ /website
There are other ways to skin this cat, but this is the clearest and involves the fewest workarounds, to my mind. It prevents getting a shell as apache, which is the biggest security concern, natch. If you're really deadset against allowing ssh as apache, there are other ways ... but this is how I've done it.
References here: http://ramblings.narrabilis.com/using-rsync-with-ssh, http://www.sakana.fr/blog/2008/05/07/securing-automated-rsync-over-ssh/
Last version (at least 3.1.1) of rsync allows you to specify the "remote ownership":
--usermap=tom:www-data
Changes tom ownership to www-data (aka PHP/Nginx). If you are using Mac as the client, use brew to upgrade to the last version. And on your server, download archives sources, then "make" it!
The solution using rsync --chown USER:GROUP [src] [dst] only works if the remote user has write access to the the destination directory which in most cases is not the case.
Here's another solution:
Overview
(srcmachine) (rsync) (destmachine)
srcuser -- SSH --> destuser
|
| sudo su jenkins
|
v
jenkins
Let's say that you want to rsync:
From:
Machine: srcmachine
User: srcuser
Directory: /var/lib/jenkins
To:
Machine: destmachine
User: destuser to establish the SSH connection.
Directory: /tmp
Final files owner: jenkins.
Solution
rsync --rsync-path 'sudo -u jenkins rsync' -avP --delete /var/lib/jenkins destuser#destmachine:/tmp
Read more here:
https://unix.stackexchange.com/a/546296/116861
rsync version 3.1.2
I mostly use windows in local, so this is the command line i use to sync files with the server (debian) :
user#user-PC /cygdrive/c/wamp64/www/projects
$ rsync -rptgoDvhnP --chown=www-data:www-data --exclude=.env --exclude=vendor --exclude=node_modules --exclude=.git --exclude=tests --exclude=.phpintel --exclude=storage ./website/ username#hostname:/var/www/html/website
-n : perform a trial run with no changes made, to really execute the command remove the -n option

Resources