I have a setup with sftp only users:
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
I get the following message in my secure.log:
fatal: bad ownership or modes for chroot directory
With the match keyword there comes some security stuff with it… the directories need to be owned by root, and the directories need to be chmod 755 (drwxr-xr-x). So it makes it impossible for a user to have write permissions to the folders, if it is only writable to the user root and set to ben non-writable for groups due to ssh's security.
Someone know about a good work around?
Best Answer
I have same settings on our server. We use same config of SSHD. Users' home directories are owned by root and within them there are folders
documents
andpublic_html
owned by respective users. Users then login using SFTP and write into those folders (not directly into home). As SSH is not allowed for them, it perfectly works. You can adjust which directories will be created for new users in /etc/skel/ (at least in openSUSE, I'm not so familiar with other distros).Another possibility would be ACL (openSUSE documentation) - it can add write permission for respective user for his home directory.