Debian – bad ownership or modes for chroot directory “/var/www”

chmoddebiansftpsshsshd

I am getting following error in auth.log when trying to connect to site using SFTP.

fatal: bad ownership or modes for chroot directory "/var/www"

ls -ld of this directory shows this:

drwxrwxr-x 4 root sftponly 4096 Aug 12 04:05 /var/www/

As you can see I have given full permission to group sftponly. The user through which I am connecting to SFTP is mysftpuser which is part of sftponly group.

If I do following then I can connect but cannot rename, edit, delete, overwrite any file or folder inside www

sudo chmod 755 /var/www/

Here's my sshd_config setting

Match group sftponly
ChrootDirectory /var/www
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

So in short sudo chmod 755 /var/www/ allows me to connect but only in READ only mode. sudo chmod 775 /var/www/ doesn't even allow me to connect.

How to fix this issue?

Best Answer

Sounds like your permissions are too permissive for SFTP. You will need to create a folder for the user and let him access it with 0700 permissions or even more restrictive than that.

See this question's answer for more info Server Fault Question

Related Solutions

What’s missing from the sftp chroot setup

Looks like the ChrootDirectory should point to one level ABOVE the home directory.

So since guest's home is /var/www/uploads/guest, then the ChrootDirectory should point to /var/www/uploads

That's a MAYBE.... another thought occurred to me:

You manually installed the newer openssh, did you remove the old version? Where did the new version get installed? sometimes, if you're not careful, new stuff will get installed into /usr/local/ instead of /usr, meaning the sftp enabled server is reading its config files from /usr/local/etc/ssh/... instead of the expected /etc/ssh/...

Something to check at least.

AIX 6.1 SFTP: Allow chroot’d user to access files in location outside their home

Symlinks are essentially just pointers to another file, but you can't point to something outside the chroot because it would be looking for a file with that name which doesn't exist inside the chroot.

You could use mount with bind to remount the directories you need in the jail.

For example:

# mount --bind /bin /chroot/bin
# mount --bind /lib /chroot/lib
# chroot /chroot

If you wish to place it in /etc/fstab, the same example would look like:

/bin /chroot/bin none bind
/lib /chroot/lib none bind

Best Answer

Related Solutions

What’s missing from the sftp chroot setup

AIX 6.1 SFTP: Allow chroot’d user to access files in location outside their home

Related Question