Jon McCain
  - software - articles - about - contact  

How to setup users on linux with ssh and sftp access but only access thier home folders.

Ssh is a great way to access a Linux system.   But I never liked the idea that a user could see other parts of the file system (folder names and file names) even though they couldn't view or change actual files provided thier permissions were correct.    Chroot lets you tie a user a folder but it's complex because you have to create a self contained environment with the base files,base commands and libraries.   A script named make_chroot_jail.sh written by Wolfgang Fuschlberger. Go to his web page www.fuschlberger.net to get it. It takes all the pain out of this as you just pass it a username and it creates the user, sets permission and creates the whole environment.

# make_chroot_jail.sh user2

And when you no longer need that user, it's easy to get rid of them. Just the standard userdel does everything needed.

# userdel -r user2

But somewhere along the line it stopped working with Debian.  I figured how to fix it and make a patch you can apply to the original makechrootjail.sh to get a version that works with Debian 8 (aka Jessie).  A word of warning, this has only been tested on the i386 version.  On a 64-bit system the libraries are in a different place.  In theory this will work as I looked up the folders for them and put them in the script too.

So download the patch make_chroot_jail_jessie.patch  and apply it. Note that this is meant to be applied to the RELEASE 2008-04-26 version.  

# patch -i make_chroot_jail_jessie.patch -o make_chroot_jail_jessie.sh
# chmod 777 make_chroot_jail_jessie.sh

If you don't want to apply the patch yourself, here is the patched version.

make_chroot_jail_jessie.sh

It works exactly the same as before.

# make_chroot_jail_jessie.sh user2

For the curious, here is what I changed:
  • The TMPFILE1=`mktemp` &> /dev/null command did not work anymore, in particular the &> /dev/null part
  • The if..then syntax in that same line gave an error.    Putting it on seperate lines fixed that.
  • The mkdir -p .`dirname $lib` > /dev/null 2>&1 line no longer worked.   It seemed to be the redirection part again so the > /dev/null 2>&1 part was removed.
  • Some libcap and libnss libriareis are hard coded because ldd can't detect them.   But those names got changed in future versions of debian so those had to be fixed. To complicate things some more they are in different folders on 32-bit and 64-bit systems.
  • The PAM-Modules to have to be copied to the jail. But they are in a different place on 32-bit systems than they are on 64-bit system so logic was added to detect which on to copy.


Date: 1/31/2016