CRUX : Home

Home :: Documentation :: Download :: Development :: Community :: Wiki :: Ports :: Bugs :: Links :: About

Back to wiki start page

Categories: General

Building a simple chrooted SFTP server


Jukka Heino

This short guide will show you how to build a system where SFTP users are chrooted into their home directories, effectively preventing them from snooping around your system.

Install chroot_safe and sudo (available in the ports tree). chroot_safe is a clever piece of software which allows chrooting for dynamically linked applications without having to copy libraries into the chroot directory.

NOTE: You need to create the /dev/null device in each user's home directory... e.g.:

mknod /dev/null c 2 2

The sftp server requires access to /dev/null starting in more recent releases, and the chroot_safe script does not provide it that access.

Write a wrapper script which does the chrooting for sftp-server (the binary used for SFTP operations on the server side). Because chrooting can only be done by root, this script will re-execute itself under root permissions (with the help of sudo). Don't worry, permissions are dropped as soon as the chroot is running. Save the chrooted SFTP wrapper script in ##/usr/lib/ssh/sftp-server-chroot##:

if [ "$UID" != "0" ] ; then
	exec /usr/bin/sudo "$0"

exec /usr/sbin/chroot_safe "$SUDO_USER" "$HOME" /usr/lib/ssh/sftp-server

Add restricted SFTP users. This is exactly like adding normal users, except the SFTP users' shell is set to /usr/lib/ssh/sftp-server-chroot. This will prevent them from using the account for anything else than chrooted SFTP.

# useradd -s /usr/lib/ssh/sftp-server-chroot -m <user>
# passwd <user>

Add the following line in /etc/sudoers for each new SFTP user you add. This will allow the sftp-server-chroot wrapper script to get root permissions for the actual chroot operation.

<user>     ALL=NOPASSWD: /usr/lib/ssh/sftp-server-chroot

Because we are aiming for a secure SFTP-only account, you might want to disable TCP port forwarding in /etc/ssh/sshd_config. Unfortunately, this has the side effect of disabling TCP forwarding even for normal users. At the moment there's no workaround available. Make sure your sshd_config has the following line (and it's not commented out):

AllowTcpForwarding no

You're done! Before handing out usernames and passwords, you might want to check that the chroot really works correctly, i.e. the user can't get out of the SFTP jail.