SFTP/SSH Deamon permissions bug

Asked by Ashley Meadows on 2012-06-13

Before I file a bug report I'd like to discuss this issue.

When granting SFTP access, the SSH Deamon expects the home directory of the SFTP user to be owned by root. and only owner can write. If root doesn't own the chrooted directory, or the group has write permission, the SSH deamon rejects incomming connections for such user.

By setting these strict ownership rules, the user can authenticate via SFTP, but cannot write to the directory. Surely this is a bug?

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu openssh Edit question
Assignee:
No assignee Edit question
Last query:
2012-06-13
Last reply:
2012-06-13

The owner of home is the username you log in as, not root. You should also block root access via SSH and shouldn't even have the root account enabled.

Ashley Meadows (takingsides) said : #2

I apologise if i've not explained myself, but you're mistaken. I have locked the root user out. I have logged in with the username (As explained above).

SFTP is FTP over an SSH tunnel - SSH authenticates, if the user authenticating is permitted, however the SFTP-Server deamon, terminates the connection when, the chrooted directory, is NOT owned by root. That's my problem. In order for my sftp user to WRITE (upload) files to the server via SFTP, I need the users' group to have write access (0775) but the SFTP wont work unless its at most 0755.

I created a directory called public, inside the users' home directory, granted the user write access, and everything worked. But for me that's a bug? The user SHOULD be permitted to access and write in their own directory. It's a conflict between standard unix filesystem process, and SFTP's requirements before it allows access. More so, the user when authenticated CANNOT write in their own directory, but yet can READ anything.

Probably that bug affects you: bug 1374386

Can you help with this problem?

Provide an answer of your own, or ask Ashley Meadows for more information if necessary.

To post a message you must log in.