我们在公司安装了 moodle,由于 SCORM 包很大 + 连接很慢 + 代理,我通常使用 root 用户通过 SFTP 上传它们。
现在,我想让用户自己上传文件到这个 moodle 文件夹,我该怎么做?我无法更改目标文件夹所有权,因为它是 moodle 的文件夹...
我遵循了以下说明(http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/)。我发现当它连接时会出现这个错误:
fatal: bad ownership or modes for chroot directory component "/home/"
我认为问题在于文件夹所有者(和父母)是“moodlegureak”:
[root@localhost repository]# ls -la
total 940
drwxrws--- 4 apache moodlegureak 4096 abr 10 2013 .
drwxrws--- 13 moodlegureak moodlegureak 4096 abr 28 07:18 ..
drwxr-xr-x 3 root moodlegureak 4096 abr 9 12:15 Archivo
这是我的/etc/passwd:
ftpmoodle:x:507:507::/home/moodlegureak/moodledata/repository/Archivos:/sbin/nologin
这是我的 /etc/ssh/sshd_config
Subsystem sftp internal-sftp
Match Group sftpusers
ChrootDirectory /home/moodlegureak/moodledata/repository/Archivos
ForceCommand internal-sftp
AllowTCPForwarding no
我遵循了以下步骤:
1. Create a New Group
Create a group called sftpusers. Only users who belong to this group will be automatically restricted to the SFTP chroot environment on this system.
# groupadd sftpusers
2. Create Users (or Modify Existing User)
Let us say you want to create an user guestuser who should be allowed only to perform SFTP in a chroot environment, and should not be allowed to perform SSH.
The following command creates guestuser, assigns this user to sftpusers group, make /incoming as the home directory, set /sbin/nologin as shell (which will not allow the user to ssh and get shell access).
# useradd -g sftpusers -d /incoming -s /sbin/nologin guestuser
# passwd guestuser
Verify that the user got created properly.
# grep guestuser /etc/passwd
guestuser:x:500:500::/incoming:/sbin/nologin
If you want to modify an existing user and make him an sftp user only and put him in the chroot sftp jail, do the following:
# usermod -g sftpusers -d /incoming -s /sbin/nologin john
On a related note, if you have to transfer files from windows to Linux, use any one of the sftp client mentioned in this top 7 sftp client list.
3. Setup sftp-server Subsystem in sshd_config
You should instruct sshd to use the internal-sftp for sftp (instead of the default sftp-server).
Modify the the /etc/ssh/sshd_config file and comment out the following line:
#Subsystem sftp /usr/libexec/openssh/sftp-server
Next, add the following line to the /etc/ssh/sshd_config file
Subsystem sftp internal-sftp
# grep sftp /etc/ssh/sshd_config
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
4. Specify Chroot Directory for a Group
You want to put only certain users (i.e users who belongs to sftpusers group) in the chroot jail environment. Add the following lines at the end of /etc/ssh/sshd_config
# tail /etc/ssh/sshd_config
Match Group sftpusers
ChrootDirectory /sftp/%u
ForceCommand internal-sftp
In the above:
Match Group sftpusers – This indicates that the following lines will be matched only for users who belong to group sftpusers
ChrootDirectory /sftp/%u – This is the path that will be used for chroot after the user is authenticated. %u indicates the user. So, for john, this will be /sftp/john.
ForceCommand internal-sftp – This forces the execution of the internal-sftp and ignores any command that are mentioned in the ~/.ssh/rc file.
5. Create sftp Home Directory
Since we’ve specified /sftp as ChrootDirectory above, create this directory (which iw equivalent of your typical /home directory).
# mkdir /sftp
Now, under /sftp, create the individual directories for the users who are part of the sftpusers group. i.e the users who will be allowed only to perform sftp and will be in chroot environment.
# mkdir /sftp/guestuser
So, /sftp/guestuser is equivalent to / for the guestuser. When guestuser sftp to the system, and performs “cd /”, they’ll be seeing only the content of the directories under “/sftp/guestuser” (and not the real / of the system). This is the power of the chroot.
So, under this directory /sftp/guestuser, create any subdirectory that you like user to see. For example, create a incoming directory where users can sftp their files.
# mkdir /sftp/guestuser/incoming
6. Setup Appropriate Permission
For chroot to work properly, you need to make sure appropriate permissions are setup properly on the directory you just created above.
Set the owenership to the user, and group to the sftpusers group as shown below.
# chown guestuser:sftpusers /sftp/guestuser/incoming
The permission will look like the following for the incoming directory.
# ls -ld /sftp/guestuser/incoming
drwxr-xr-x 2 guestuser sftpusers 4096 Dec 28 23:49 /sftp/guestuser/incoming
The permission will look like the following for the /sftp/guestuser directory
# ls -ld /sftp/guestuser
drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp/guestuser
# ls -ld /sftp
drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp
7. Restart sshd and Test Chroot SFTP
Restart sshd:
# service sshd restart
答案1
这OpenSSH sshd_配置文档对 chroot 目录的要求非常清楚。此限制适用于以下情况:Chroot目录指令使用:
Chroot目录
指定在认证后 chroot(2) 到的目录的路径名。路径名的所有组件都必须是 root 拥有的目录,且其他任何用户或组都无法写入。chroot 后,sshd(8) 将工作目录更改为用户的主目录。
获得所需内容的正常方法是使用绑定挂载。创建一个目录作为 chroot。您可以将此目录放在任何位置,只要它及其父目录符合 sshd 的要求。然后确定用户应有权访问的目录,并在 chroot 区域内创建一个目录来表示每个目录。然后使用绑定挂载(在该页面上搜索“bind”)将这些目录挂载到各自的挂载点。您可以执行以下操作:
# mkdir /var/jail
# mkdir /var/jail/www
# mount -o bind /var/www /var/jail/www # Make /var/www accessible within the jail
答案2
internal-SFTP提供一种简单的 chrooted SFTP 方法,但确实有一些限制。如果您想避免 root 拥有的父目录等限制,则必须使用sftp-server,但您必须为用户创建一些最小的 chrooted 环境,使用bash、等。cdls
应按照此处所述创建 Chrooted 环境: http://www.58bits.com/blog/2014/01/09/ssh-and-sftp-chroot-jail