SFTP chroot jails

I read here about implementing SFTP chroot jails. Where can we find more information about this feature and how we can use it?

Hi Felix

Sorry for the delay, we try usually to answer below 12hrs :).

SFTP is allowed by default for nologin users, it will also be enabled when you add a new user and also when you upgraded the system so 1.0.0.

Here you’ve the code reference inside the add user script: https://github.com/hestiacp/hestiacp/blob/fe045c5df2f5bd7d5e361029300900c41a43e63c/bin/v-add-user#L220

1 Like

Thats was helpful
but the question for me is:
sftp is good because of encryption, but
with my sftp client i could see - not write - root and so on
with ftp the client does only see his home area
with sftp he can go up to root /
how can i adjust the behaviour same like ftp?
ok i see there is a vsftp configuration file. but help would be appreciated
Best regards Markus

Do you login as admin or as normal user? What usergroup you’ve set? Usually you need to have them on “nologin”, then they should be chrooted to the home directory.

i login as a normal user without special rights…
then i can connect with f.e. winscp to the home directory of that user and write and read
but i also can go up and read var, srv, bin etc inside root directory but not write
i can go inside other user directories but at
/home/someuser/web than reading is prohibited
thats ok so far

but is it neccessary that scp users can see root directory
with ftp going up is not possible

now i want to answer your question about the usergroup and nologin…

OK found the reason
“hosting package”
for short time i had hosting package default which was the only one i could use until you gave me the hint with thas ns1 ns2
i activated bash login for default
users which i had made with that could login via scp
but: when you remove bash login from already assigned default hosting package then users are not updated

the solution is:
if you set bash login inside hosting package , then users inside are not updated
you have to switch forward backward and then nologin is assigned as you have set inside the hosting package

i do not know if this behavior is intentional but i can live with that now

As already written: If you want to have jailed ssh, just give them nologin group. Bash is only if you need ssh access.

in addition to what @ScIT already said, a user that has normal shell access can see/read the filesystem when logging in with a normal shell anyway, so it would not make sense (even technically) to try and make sftp/winscp behave differently :wink:

that’s why a jail only works for user which have no full shell access (aka nologin).

2 Likes