Nathan01 Posted November 17, 2022 Share Posted November 17, 2022 (edited) I am trying to setup a SFTP user to login and access a specific directory used by a docker container, but am running into a design conflict between Unraid and sshd's Chroot function. I'm running Unraid V6.11.3. I have added the following to the /boot/config/ssh/sshd_config: Match Group sftp-restricted ChrootDirectory /mnt/user/containershare/mycontainer ForceCommand internal-sftp However I get an error when trying to connect as the user: sshd[14757]: fatal: bad ownership or modes for chroot directory component "/mnt/user/" This is because, by design, Unraid sets the permission of the /mnt/users folder to nobody/users, which is not compatible with sshd_config(5)'s ChrootDirectory according to the man page: Quote ChrootDirectory: Specifies the pathname of a directory to chroot(2) to after authentication. At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group. ... StrictModes Specifies whether sshd(8) should check file modes and ownership of the user's files and home directory before accepting login. This is normally desirable because novices sometimes accidentally leave their directory or files world-writable. The default is yes. Note that this does not apply to ChrootDirectory, whose permissions and ownership are checked unconditionally. I was able to get this working with vsftpd instead of sshd by setting the user's home directory to the desired directory and by adding the following to the /etc/vsftp.conf file: chroot_local_user=YES allow_writeable_chroot=YES It seems like vsftpd is not so strict when it comes to chroot, but unfortunately it only uses FTP and not SFTP so not something I can use. My question would be, is there another way to restrict an SFTP user to a specific directory? Or is there a another method outside of sshd I can use? Thanks. Edited November 17, 2022 by Nathan01 Quote Link to comment
no_one Posted January 10, 2023 Share Posted January 10, 2023 @Nathan01 Did you ever find a better solution? I am trying to do essentially this exact thing. Provide access to a specific directory used by a docker container. Quote Link to comment
Nathan01 Posted January 12, 2023 Author Share Posted January 12, 2023 On 1/10/2023 at 9:33 AM, no_one said: @Nathan01 Did you ever find a better solution? I am trying to do essentially this exact thing. Provide access to a specific directory used by a docker container. I did find a way, though not as elegant as I would have hoped. I installed the drakkan/sftpgo docker contain to run SFTPGo. I added an extra volume map for "/mnt/user" to "/somepathincontainer" so the container can access the home directories of my Unraid users. From there you can configure SFTPGo users in its webUI, and set their home dir to the container path pointing to their Unraid home dir. In hindsight, you could just spin up a basic container with CentOS or the like and map the volume as above. Then install sshd_config(5) and configure the chroot dir as normal. You'll still have to setup the user in the container, but chroot should work as its now using the CentOS dir structure and not Unraid's. Again, not pretty, but '¯\_(ツ)_/¯ Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.