OT: chroot sftp centos 7

scooter6 at gmail.com scooter6 at gmail.com
Tue Mar 26 18:25:42 PDT 2019 

Well I'm glad I could piss you off
Next time I won't start my post with OT unless it involves a joke
thanks for your time and input
As I said, I mimicked my setup that worked for me on 5.10 but for some
reason complains with the exact same setup on centos 7
I know sftp works out of the box on centos 7 - but these users should be
jailed and not able to navigate around other than to their 'attachments'
directory- they drop off files and that's it....
I'll look at my configuration again and see if everything is in order
moving forward I'll make sure I have my checkbook in hand when asking for
any assistance from this 'community'


On Tue, Mar 26, 2019 at 9:11 PM Fairlight via Filepro-list <
filepro-list at lists.celestial.com> wrote:

> This is way outside the scope of filePro.  For that matter, so was the mail
> stuff last week.
>
> At this point, you've come to the filePro list for a good percentage of
> what should be Linux 101 and done within the scope of a CentOS community,
> asking us to help set up your new box.  While it's been a form of cheap
> amusement to watch you go on this journey, that benefit has outstayed its
> welcome, at least for me.  In fact, it's annoying the hell out of me,
> because you should be either researching your problems, or paying someone
> to do it.  As someone who does systems administration for a living, I
> can say I'm quite irked on principle to see you repeatedly trying to get
> something for nothing in terms of systems administration.  It's like going
> to a professional car mechanics' retreat without being a professional
> mechanic yourself, and trying to get your car fixed for free.  Insulting
> doesn't quite do it justice.
>
> At the -very- least, you should be leaning on a community actually focused
> on the platform at hand.
>
> Respectfully, I would suggest you either hire someone who can get it
> done, or find a community better suited to handling the *nix-specific
> issues you keep running into which are wholly unrelated to filePro
> itself.  You may use filePro, but these aren't even filePro integration
> problems/issues/questions, at this point.  These are *nix subsystem and
> functionality issues, full stop.
>
> What you've been doing is the equivalent of someone coming in here and
> asking how to configure IIS on Windows.  It makes about as much sense, and
> it's really not the venue.
>
> If this is for a hobby, figure it out.  If this is for business, it should
> be paid work for someone, past a certain point.  You've really been pushing
> it lately.
>
> And for the record, stock sftp on CentOS 7 works just fine.  I've got it
> working on many boxes, and there are no issues as long as permissions and
> groups are correct.
>
> /home/ should be root:root 0755.
>
> /home/frontier/ should be root:root 0755.
>
> Under there, you should have subdirectories for file storage and retrieval.
> Assume a common idiom of inbound and outbound:
>
> /home/frontier/inbound/ frontier:users 0755
> /home/frontier/outbound/ frontier:users 0755
>
> You need those subdirectories, because frontier will not be able to write
> directly to a directory owned by root with 0755, which is mandatory.
>
> You do -not- actually need the sftponly group on the subdirectories.  That
> group serves only as a trigger for sftp jailing.
>
> The user -must- have sftponly as their primary group.
>
> This is the sshd_config section which works for me:
>
> Match group sftponly
>         X11Forwarding no
>         AllowTcpForwarding no
>         ForceCommand internal-sftp
>         ChrootDirectory %h
>
> I wonder if you have /home/ set incorrectly.  Aside from ChrootDirectory
> expando differences, the rest of what you have looks correct.
>
> I can, however, confirm that sftp works just fine on CentOS 7 with
> openssh-7.4p1-16.el7.x86_64.  I'm looking directly at a working one which
> has been verified and is in production.
>
> mark->
>
>
>
> On Tue, Mar 26, 2019 at 07:13:33PM -0400, scooter6--- via Filepro-list
> thus spoke:
> > Is anyone aware of anything changing as to how to chroot sftp users on
> > centos 7?
> > I have everything setup identically on new server and keep getting
> > fatal: bad ownership or modes for chroot di
> > rectory component "/" [postauth]
> >
> > Every thing I know root has to own the directory in full path up until
> > chroot directory
> >
> > The only way I can even get a sftpuser to connect is if I make them the
> own
> > of the /home directory
> >
> > Old server:   this is in  /home
> >
> > drwxr-xr-x  3 root    root    4096 Oct 16 11:15 frontier
> >
> > Then, if you go to /home/frontier:
> >
> > drwxr-xr-x 3 frontier sftponly 4096 Mar 19 15:45 attachments
> >
> > sshd_config:
> >
> > Match Group sftponly
> >         ChrootDirectory /home/%u
> >         ForceCommand internal-sftp
> >         X11Forwarding no
> >         AllowTcpForwarding no
> >
> > New server:   this is in /home
> >
> > drwxr-xr-x   4 root    root      38 Mar 26 18:17 frontier
> >
> > Then, if you do to /home/frontier:
> >
> > drwxr-xr-x 2 frontier sftponly 6 Mar 26 19:05 attachments
> >
> > sshd_config has:
> >
> > Match Group sftponly
> >         ChrootDirectory /home/%u
> >         ForceCommand internal-sftp
> >         X11Forwarding no
> >         AllowTcpForwarding no
> >
> > Only thing different on serves are the UID/GIDs
> >
> > Old server for frontier:
> >
> > id frontier
> >
> > uid=1014(frontier) gid=502(sftponly) groups=502(sftponly)
> >
> > New server:
> >
> > id frontier
> >
> > uid=2043(frontier) gid=1503(sftponly) groups=1503(sftponly)
> >
> > Old server, /etc/passwd
> >   frontier:x:1014:502::/attachments:/bin/false
> >
> > New server, /etc/passwd
> >   frontier:x:2043:1503::/attachments:/bin/false
> >
> > I even tried creating a new group, new user, etc - it's typically
> straight
> > forward, but I can't get any combination to work that others swear works
> > for them.  This isn't normally difficult but I've been working on this
> for
> > 4 hours and can't get the right combination to seem to work
> >
> > Has anyone successfully gotten this to work on centos 7?
> >
> > thanks
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL: <
> http://mailman.celestial.com/pipermail/filepro-list/attachments/20190326/6ae6eec6/attachment.html
> >
> > _______________________________________________
> > Filepro-list mailing list
> > Filepro-list at lists.celestial.com
> > Subscribe/Unsubscribe/Subscription Changes
> > http://mailman.celestial.com/mailman/listinfo/filepro-list
> >
>
> --
> Audio panton, cogito singularis.
> _______________________________________________
> Filepro-list mailing list
> Filepro-list at lists.celestial.com
> Subscribe/Unsubscribe/Subscription Changes
> http://mailman.celestial.com/mailman/listinfo/filepro-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.celestial.com/pipermail/filepro-list/attachments/20190326/08455afe/attachment.html>

More information about the Filepro-list mailing list