Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Restrict SFTP User to Specific Directory

Featured Replies

I am trying to setup a SFTP user to login and access a specific directory used by a docker container, but am running into a design conflict between Unraid and sshd's Chroot function. I'm running Unraid V6.11.3. I have added the following to the /boot/config/ssh/sshd_config:

Match Group sftp-restricted
	ChrootDirectory /mnt/user/containershare/mycontainer
	ForceCommand internal-sftp

 

However I get an error when trying to connect as the user:

 sshd[14757]: fatal: bad ownership or modes for chroot directory component "/mnt/user/"

 

This is because, by design, Unraid sets the permission of the /mnt/users folder to nobody/users, which is not compatible with sshd_config(5)'s ChrootDirectory according to the man page:

 

Quote

ChrootDirectory:

Specifies the pathname of a directory to chroot(2) to after authentication. At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group.
...
     StrictModes
             Specifies whether sshd(8) should check file modes and
             ownership of the user's files and home directory before
             accepting login.  This is normally desirable because
             novices sometimes accidentally leave their directory or
             files world-writable.  The default is yes.  Note that this
             does not apply to ChrootDirectory, whose permissions and
             ownership are checked unconditionally.

 

I was able to get this working with vsftpd instead of sshd by setting the user's home directory to the desired directory and by adding the following to the /etc/vsftp.conf file:

chroot_local_user=YES
allow_writeable_chroot=YES

 

It seems like vsftpd is not so strict when it comes to chroot, but unfortunately it only uses FTP and not SFTP so not something I can use. My question would be, is there another way to restrict an SFTP user to a specific directory? Or is there a another method outside of sshd I can use?

 

Thanks.

Edited by Nathan01

  • Nathan01 changed the title to Restrict SFTP User to Specific Directory
  • 1 month later...

@Nathan01 Did you ever find a better solution? I am trying to do essentially this exact thing. Provide access to a specific directory used by a docker container. 

  • Author
On 1/10/2023 at 9:33 AM, no_one said:

@Nathan01 Did you ever find a better solution? I am trying to do essentially this exact thing. Provide access to a specific directory used by a docker container. 

I did find a way, though not as elegant as I would have hoped. I installed the drakkan/sftpgo docker contain to run SFTPGo. I added an extra volume map for "/mnt/user" to "/somepathincontainer" so the container can access the home directories of my Unraid users. From there you can configure SFTPGo users in its webUI, and set their home dir to the container path pointing to their Unraid home dir.

 

In hindsight, you could just spin up a basic container with CentOS or the like and map the volume as above. Then install sshd_config(5) and configure the chroot dir as normal. You'll still have to setup the user in the container, but chroot should work as its now using the CentOS dir structure and not Unraid's.

 

Again, not pretty, but  '¯\_(ツ)_/¯

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.