+44 20 3287 1023
support@nicktailor.com

How to jail users via sftp on Drupal Servers using Aegir

| September 11, 2012
How to jail users via sftp on Drupal Servers

You will need to ensure your openssh server your running is at least 5.1 If it not then please check out “How to jail subdomain sftp users via chroot with plesk” in my blog, it will have instructions on how to update your openssh if your running redhat or any similar OS.

Note: /etc/ssh/sshd_config (this config is a slightly different on Drupal servers than plesk ones so that Dreamweaver could sftp)
===================================
# override default of no subsystems
#Subsystem sftp /usr/libexec/openssh/sftp-server 

Subsystem sftp internal-sftp
Match Group sftp
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
====================================
1. Do the following:
-# usermod -G sftp joe (add the user)
-# usermod -s /bin/false joe (change the bash of the user)
-# chmod -R root:root /home/joe (parent directory has to be owned by root for chroot)
-# chmod 755 /home/joe (Permissions on parent directory has to be 755 for sftp to work via chroot)
-# passwd joe (set password for user)
2. Create a directory inside the home directory of the new user and name it the same of of the directory you want them to be jailed to
mkdir /home/joe/(same name of directory you want user to be jailed to)
eg mkdir /home/joe/jailed
3. Now you are going to mount the directory that you wanted the user jailed into to the new users home directory
#- Mount –bind <fullpathofdirectoryyouwanttojailuser> <pathtonewusershomdirectory>
Eg.
Mount –bind /www_data/sites/drupal-6.19/sites/test.com/jailed /home/joe/jailed
Note: I create this file and add it to /etc/rc.local so that if your server reboots, you wont loose your mounts 
4. Add the above line to /etc/init.d/sftpjailedmounts.sh <–this is so if you reboot the server the mounts arent lost, this file is loaded by /etc/rc.local
5. Now your going to change the permissions inside their home directory so the sftp user will be able to ftp files

#- chown test2:aegir /home/joe/jailed
If you want to see your mount simply type mount and you will them.
eg.
[root@dpadmprod11 jhall]# mount
/dev/mapper/VGroot-LVroot on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/sda1 on /boot type ext3 (rw)
tmpfs on /dev/shm type tmpfs (rw)
/dev/mapper/VGroot-LVlocal on /local type ext3 (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
WEBI_NASprod:/vol/WEBI_DpProdConfig/www_config on /www_config type nfs (rw,addr=10.90.20.6)
WEBI_NASprod:/vol/WEBI_DpProdData/www_data on /www_data type nfs (rw,addr=10.90.20.6)
/www_data/sites/drupal-6.19/sites/test.com/webcam on /home/webcam/webcam type none (rw,bind)
/www_data/sites/drupal-6.19/sites/test.com/pharmdprivate on /home/pharmsci/pharmdprivate type none (rw,bind)
/www_data/sites/drupal-6.19/sites/pharmacy.ubc.ca/jailed on /home/joe/jailed type none (rw,bind) <——
September 11, 2012 Centos, LinuxNo Comments »

Leave a Reply

Your email address will not be published. Required fields are marked *

0