# Chroot / Lock User In Dir



## dave (Jan 6, 2011)

I am having trouble getting chroot to work for me using the built-in ssh on FreeBSD 8.1 RELEASE.  What is the simplest (most elegant) way to lock a user in a directory for editing files (i.e. a web site) without using FTP?

The error I keep getting is...

```
sshd[38813]: fatal: bad ownership or modes for chroot directory "/usr/local/chroot/home/testuser"
```


----------



## vand777 (Jan 6, 2011)

In /etc/ssh/sshd_config:

```
...
# override default of no subsystems
#Subsystem      sftp    /usr/libexec/sftp-server
Subsystem sftp internal-sftp

Match User your_user
    ChrootDirectory /home/your_user/ftp
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp
...
```

Permissions: 

```
#ls -al /home/your_user

...
drwxr-x---  3 root       your_user  512 Aug 29 22:02 ftp
...
```


```
#ls -al /home/your_user/ftp/

...
drwxrwxr-x  2 root  your_user  512 Oct 28 21:13 pub
...
```

Your user will have full access to /home/your_user/ftp/pub.


----------



## anomie (Jan 6, 2011)

I think vand777 has already given you a thorough answer. 

I'd point out that the fix is built right into the error message you're seeing. From the sshd_config(5) manpages: 

```
ChrootDirectory
        Specifies the pathname of a directory to chroot(2) to after
        authentication.  All components of the pathname must be root-
        owned directories that are not writable by any other user or
        group...
```


----------



## dave (Jan 7, 2011)

anomie said:
			
		

> I think vand777 has already given you a thorough answer.
> 
> I'd point out that the fix is built right into the error message you're seeing. From the sshd_config(5) manpages:
> 
> ...



Yes, I read the man page.  There are more components to this setup than the directory permissions.  The most confusing part of the man page is that it does not make clear the difference between the the directory "to chroot to", the directory below it (pub in vand777's example), or if/where/how they should be specified in the config.


----------



## dave (Jan 7, 2011)

vand777 said:
			
		

> In /etc/ssh/sshd_config:
> 
> ```
> ...
> ...



Thanks, What shell should I use for the your_user account?


----------



## vand777 (Jan 7, 2011)

dave said:
			
		

> Thanks, What shell should I use for the your_user account?



nologin unless you want your user to be able to connect to your system other than via sftp.


----------



## vand777 (Jan 7, 2011)

dave said:
			
		

> Yes, I read the man page.  There are more components to this setup than the directory permissions.  The most confusing part of the man page is that it does not make clear the difference between the the directory "to chroot to", the directory below it (pub in vand777's example), or if/where/how they should be specified in the config.


Please setup directory permissions as advised in my post above and it will start working. I had exactly the same issue when first tried to chroot user.


----------

