[GUIDE] SFTP Selective remote folder access to certain users

  • OMV 2.x
  • core

This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

  • [GUIDE] SFTP Selective remote folder access to certain users

    SFTP Selective remote folder access to users

    SFTP is file transfer protocol that works over ssh. Comes bundled with openssh-server package. The default settings can let you access your whole rootfs and media drives as root or any other user that's in the ssh group. This guide covers how to setup ssh in way that you can specify custom folders to be the only ones users have access through the SFTP. This is done by creating chroot jails defined in the sshd_config. For putting custom folders will create a general sftp folder, and inside will mount bind all folders we want for a particular user to have access.

    Warning: 90% of this guide is CLI commands.

    What you need:
    • OMV 2.0 (This should work in earlier versions 1.0, 0.5 and below but it hasn't being tested)
    • SSH service
    • tree (optional: apt-get install tree)
    • Terminal console (or putty in windows environment)
    Getting Started


    First we need to disable the general sftp subsystem that comes enabled by default. Since omv defaults rewrites everything after we make a change in the ssh service we need to attack this by defining and environmental variable.

    nano /etc/default/openmediavault

    Place at the end of the file this two lines

    Source Code

    1. OMV_SSHD_SUBSYSTEM_SFTP="internal-sftp"
    2. OMV_SSHD_ALLOWGROUPS="root ssh sftp-access"


    Run service openmediavault-engined restart && omv-mkconf ssh && service ssh restart

    Then we create the group sftp-access in the webui panel and add the user1 and user2 as members, we check in terminal.

    Source Code

    1. root@vm-omv:/# getent group sftp-access
    2. sftp-access:x:1002:user1,user2


    Now lets create our two users chroot folders

    mkdir -p /sftp/{user1,user2}

    is important that this two folders are owned by root and no one else has write access

    Source Code

    1. chown root:root /sftp/{user1,user2}
    2. chmod 755 /sftp/{user1,user2}


    Now lets say we have four folders at /media/<uuid>/ , Documents, Videos, Pictures and Music.

    list.png

    We want user1 to have access to all four folders and user2 just to Documents
    In the /sftp folder we do

    Source Code

    1. mkdir -p /sftp/user1/{Documents,Music,Pictures,Videos}
    2. mkdir -p /sftp/user2/Documents


    We edit /etc/fstab and we add at the end this

    Source Code

    1. # >>> [SFTP]
    2. /media/2d5bcef8-9457-47e5-8555-0b21b313c494/Documents /sftp/user1/Documents none bind 0 0
    3. /media/2d5bcef8-9457-47e5-8555-0b21b313c494/Videos /sftp/user1/Videos none bind 0 0
    4. /media/2d5bcef8-9457-47e5-8555-0b21b313c494/Music /sftp/user1/Music none bind 0 0
    5. /media/2d5bcef8-9457-47e5-8555-0b21b313c494/Pictures /sftp/user1/Pictures none bind 0 0
    6. /media/2d5bcef8-9457-47e5-8555-0b21b313c494/Documents /sftp/user2/Documents none bind 0 0
    7. # <<< [SFTP]


    Change the uuid and folders according to your setup.

    Run mount -a, confirm all folders are mounted with mount | grep 'user1\|user2'

    mtab.png

    You can check then the structure with tree /sftp -fpug

    tree.png

    As you can see, if you create a file in the original directory it will show up in the sftp directory. This is a mount bind, an alternate view of the original directory tree, this time replicated in another point of the / filesystem

    Now this time we go to the ssh configuration panel in the OMV webUI an at the extra options we add

    Source Code

    1. Match Group sftp-access
    2. ChrootDirectory /sftp/%u
    3. ForceCommand internal-sftp


    It should look like this

    webpanel.png

    Now lets check from another lan client if is working

    sftpaccess.png

    You can also use filezilla, cyberduck, winscp or any client that supports sftp to access from a Desktop.

    Notes:
    • Ssh provides absolutely no read-write control over the files using the login as samba or ftp do, the show or not show directory is done at the fstab mount. If you want to restrict write access to some users for read only you will need to go to basic POSIX permissions.
    • The ForceCommand directive forbids access to the ssh console to those users in the defined group. Users in the ssh groups should not be affected by this and have full root filesytem access in sftp an in ssh.
    • You cannot create folder in chroot top level folder using sftp, as we did in the beginning both chroot folders user1 and user2 don't have write access, thus folder or file creation|upload is denied . In the bind folders everything should work as expected
    • You cannot use scp command in this setup for the users defined in the group sftp-users
    • You can use ssh keys for a more secure access if you want. Those can be added at each user web panel.
    • If you want remove access to folder for a user, do not attempt to remove the folders at /sftp/<user>/ without un-mounting the binds, otherwise YOU'RE GOING TO LOOSE DATA. You can unmount with umount /sftp/user1/Documents for example and delete the specific fstab entry.


    Questions / Problems / Discussions
    Click here to get to the discussions thread
    chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
    telegram.me/openmediavault broadcast channel
    openmediavault discord server

    The post was edited 13 times, last by subzero79 ().