Solved Chroot sftp bad ownership

[freeBSDn]

Hi - This is driving me mad..

FreeBSD 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401

I'm running lots of websites with www/apache24. I have developers looking access to modify files. I don't want to give access to server just to applicable sites. My setup is as follows:

I create user accounts for each site: site1user, site2user...
Each user has a home directory of: /usr/local/www/apache24/data/site1

Webroot: /usr/local/www/apache24/data/site1, site2, site3 and so on...

My ssh config: /etc/ssh/sshd_config

# override default of no subsystems
#Subsystem  sftp  /usr/libexec/sftp-server
Subsystem  sftp  internal-sftp -l INFO -f AUTH
..
..
Match User site1user
PasswordAuthentication yes
ChrootDirectory /usr/local/www/apache24/data
ForceCommand internal-sftp -l INFO
AllowTcpForwarding no
AllowAgentForwarding no
PermitTunnel no
PermitTTY no
X11Forwarding no

I use filezilla to connect, test and watch: /var/log/auth.log
..

sshd[52053]: fatal: bad ownership or modes for chroot directory component "/"

My permissions are as follows. My path to the home directories are owned by root:

drwxr-xr-x  16 root  wheel  512 Jan 20  2015 usr
drwxr-xr-x  14 root  wheel  512 Sep 11 19:36 local
drwxr-xr-x  4 root  wheel  512 Sep 11 21:15 www
drwxr-xr-x  6 root  wheel  512 Sep 11 20:20 apache24
drwxr-xr-x  4 root  wheel  1024 Sep 29 21:56 data
drwxr-xr-x  8 root  root  1024 Sep 29 22:01 site1

Inside the site1 directory all the files are owned by the site1user.

If I remove the ChrootDirectory directive I can login and see all files for the system which I don't want. I have read lots of articles and feel my setup is correct but not..
Where am I going wrong?

Thank you.

 

[rtwingfield]

First, this

drwxr-xr-x 8 root root 1024 Sep 29 22:01 site1

. . .indicates that you are using root as the owner of sites 1-n, etc. and that is not good. You should not allow root access to the users . . .to anything, anywhere! Additionally, you should not allow remote login access to the root user. Trying to do so may be at the crux of your problems.

Next, I'd change the architecture of your Apache installation file structure. Rather than use
Webroot: /usr/local/www/apache24/data/site1, site2, site3 and so on...

create a virtual hosts directory under /www, e.g.,

4 drwxr-xr-x  10 rtwingfield  wheel  512 Jun  4 16:27 vhosts

and make the owner of that directory someone other than root.

Also, a suggestion: create the following symbolic link:

0 lrwxr-xr-x  1 root  wheel  14 Jun  3 07:44 www -> /usr/local/www

This will allow you to simply cd /www (or cd /www/vhosts) and "be there" without the nuisance of having to type the /usr/local "prefix".

Then, create a /www/vhosts directory, and within that, create sub-directories for each virtual host user. For example,

4 drwxr-xr-x  10 ar042swrcap  wheel  1024 Jun  4 16:35 AR042SWRCAP.org
4 drwxr-xr-x  6 rtwingfield  wheel  512 Jun 24 11:27 Archaxis.net
4 drwxr-xr-x  11 mpcata  wheel  1024 Jun  4 16:27 mpcata.org
4 drwxr-xr-x  5 vsshelton  wheel  512 Jun  4 16:35 SheltonEstate.com   ...actually no longer exists

Create your userid's per the indicated owners ( chown of the vhosts directories as required) and set the paths in the individual user profiles. Only grant ( chmod 755) the users write authority (gotta' keep 'em separated).

This should allow your users remote login access to only their files. They can then rftp, ssh as required.

Note that this does not change the location of your Apache24 base files. These core files should remain in /usr/local/etc/apache24/httpd.conf, et al., and /usr/local/etc/apache24/extra/httpd-vhosts.conf, et al. Owner and group remains mode 755 for root and wheel, respectively. Remember that this latter httpd-vhosts.conf file is an application core file for your virtual host container files (each virtual host is described within a container, that is a subset of the httpd.conf file). Essentially, a virtual host container could be described as:

<VirtualHost *:80>
  ServerAdmin a-user@user's.domain
  DocumentRoot /www/vhosts/user's.domain
  ServerName user.domain
  ServerAlias www.user's.domain
  ErrorLog  logs/user's_error_log
  CustomLog logs/user's_access_log common
  RewriteEngine on
  RewriteOptions Inherit
</VirtualHost>

Your virtual users should not have access to these files. Your virtual host users only have access to their published web page content in /www/vhosts/their-directory . . .whatever they wish to include is up to them. In fact, whatever they choose to put there may not in fact have anything to to with their webpages.

With apologies, this is a hasty and too brief outline. I'm leaving immediately for a day trip, then tomorrow, for Vicksburg, MS, then to New Orleans, then to Ft. Worth (total 11+ days out of office). I will have laptop with me. I'll check back periodically and add more to these suggestions.

 

[freeBSDn]

Thanks Ron, have been busy myself... I'll hopefully get a closer look at your findings over the next day or so.

Everything I've read revolves around chroot(8) 'owning' the chroot(8) directory. Like you say, maybe this is causing an issue in this case. I had referenced this material: chroot-sftp, in saying that it is outdated.

0 lrwxr-xr-x 1 root wheel 14 Jun 3 07:44 www -> /usr/local/www

Sometimes the simplest things are the hardest to see, that is going to make my life a lot easier ;-)

I'll give your suggestions a go and report my findings. Appreciate your time.

 

[freeBSDn]

Ok, so I've made a few changes regarding the server configuration that I'll detail below. I still cannot sftp to the server and login.
I've added -

0 lrwxr-xr-x 1 root wheel 14 Jun 3 07:44 www -> /usr/local/www

ls -l /www/
total 12
drwxr-xr-x  4 aa  wheel  512 Oct  4 00:39 vhosts

I've changed the ownership of the virtual host users, I added 2 users, 1 for each site for sftp logins as below:

> ls -l
total 8
drwxr-xr-x  6 sbcobra  wheel  1024 Oct  4 00:39 domain1.com
drwxr-xr-x  8 sbconsult  wheel  1024 Oct  4 00:39 domain2.com

Lets look at domain1 user profile, as below:

#Changing user information for sbcobra.
Login: sbcobra
Password (removed)
Uid [#]: 1003
Gid [# or name]: 1003
Change [month day year]:
Expire [month day year]:
Class:
Home directory: /www/vhosts/domain1.com
Shell: /usr/sbin/nologin
Full Name: sandbox cobra
Office Location:
Office Phone:
Home Phone:
Other information:

My VirtualHost container looks like this for domain1:

# domain1 Apache24 Configuration
<VirtualHost *>
ServerName domain1.com
ServerAlias www.domain1.com
CustomLog /var/log/domain1.com-access_log combined
ErrorLog /var/log/domain1.com-error_log
DocumentRoot /www/vhosts/domain1.com
<Directory /www/vhosts/domain1.com>
</Directory>
</VirtualHost>

My ssh_config (/etc/ssh/sshd_config) file looks like this:

Subsystem sftp internal-sftp
Match User sbcobra
  PasswordAuthentication yes
  ChrootDirectory /www/vhosts/domian1.com
  ForceCommand internal-sftp
  AllowTcpForwarding no
  AllowAgentForwarding no
  PermitTunnel no
  PermitTTY no
  X11Forwarding no

Using filezilla:

Status:   Connecting to 1.1.1.1... (ip removed).
Response:   fzSftp started
Command:   open "sbcobra@1.1.1.1" 22
Command:   Trust new Hostkey: Once
Command:   Pass: **********************
Error:   Server unexpectedly closed network connection
Error:   Could not connect to server

and the /var/log/auth.log...

Oct  4 13:32:58 webserver sshd[46174]: fatal: bad ownership or modes for chroot directory component "/"

I find it odd that the chroot directory is described above as '/' - Should it not be what is configured in the sshd_config?
Like so:

ChrootDirectory /www/vhosts/domian1.com

 

[freeBSDn]

So, I finally got this sorted. I spun up another VM and started from scratch.

For those who want a similar setup. FreeBSD 10.2-RELEASE
Chroot for each site, developers only have access to their individual sites public_html folder.

Permissions set for each of the directories.

freebsd@webserver:~ % ls -l /www/
drwxr-xr-x  5 root  wheel  512 Oct  6 20:37 vhosts

freebsd@webserver:~ % ls -l /www/vhosts/
drwxr-xr-x  3 root  wheel  512 Oct  5 21:11 domain1.com
drwxr-xr-x  3 root  wheel  512 Oct  5 19:02 domain2.co.uk
drwxr-xr-x  3 root  wheel  1024 Oct  6 20:57 domain3.org

freebsd@webserver:~ % ls -l /www/vhosts/domain1.com/
drwxr-xr-x  6 sbcobra  sbcobra  1024 Oct  5 21:15 public_html

User account setup was as follows:

#Changing user information for sbcobra.
Login: sbcobra
Password: (removed)
Uid [#]: 1002
Gid [# or name]: 1002
Change [month day year]:
Expire [month day year]:
Class:
Home directory: /www/vhosts/domain1.com
Shell: /usr/sbin/nologin
Full Name: User &
Office Location:
Office Phone:
Home Phone:
Other information:

So my: sshd_config

# override default of no subsystems
# Subsystem  sftp  /usr/libexec/sftp-server
Subsystem sftp internal-sftp

Match User sbcobra
  ChrootDirectory /www/vhosts/domain1.com
  AllowTCPForwarding no
  X11Forwarding no
  ForceCommand internal-sftp

Match User sbFirew
  ChrootDirectory /www/vhosts/domain2.com
  AllowTCPForwarding no
  X11Forwarding no
  ForceCommand internal-sftp

This setup works for me, hope it helps if you get stuck. I'm sure there are other ways to configure FreeBSD and get this working..

I should say also, I just added another 'Match User' section in my sshd_config for another web site with another user. I have read you can just add another username to the end of the 'Match User' line but this works fine for me, as above.