CopSSH SFTP -- limit users access to their home directory only

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by bradvido on Server Fault See other posts from Server Fault or by bradvido
Published on 2010-04-14T14:57:10Z Indexed on 2010/04/14 15:03 UTC
Read the original article Hit count: 698

Filed under:
|
|

Let me preface this by saying I've read and followed these instructions at the FAQ many times: http://www.itefix.no/i2/node/37

It does not do what the title claims... It allows every user access to every other user's home directory, as well as access to all subfolders below the copssh installation path.

I'm only using this for SFTP access and I need my users to be sandboxed into only their home directory.

If you know a fool-proof way to lock users down so they can see only their home directory and its subfolders, stop reading now and reply with the solution.

The details:

Here is exactly what i tried as I followed the FAQ. My copSSH installation directory is: C:\Program Files\CopSSH

net localgroup sftp_users /ADD      **Create a user group to hold all my SFTP users

cacls c:\ /c /e /t /d sftp_users    **For that group, deny access at the top level and all levels below

cacls "C:\Program Files\CopSSH" /c /e /t /r sftp_users    **Allow my user group access to the copSSH installation directory and its subdirectories

For each sftp user, I create a new windows user account, then I:

net localgroup sftp_users sftp_user_1 /add    **Add my user to the group I've created

Open the activate user wizard for CopSSH, choosing the user, "/bin/sftponly" and

  • Remove copssh home directory if it exists **Remains checked
  • Create keys for public key authentication **Remains checked
  • Create link to user's real home directory **Remains checked

This works, however, every user has access to every other user's home directory as well as the CopSSH root directory....

So I tried denying access for all users to the user home directory:

cacls "C:\Program Files\CopSSH\home" /c /e /t /d sftp_users **Deny access for users to the user home directory

Then I tried adding permissions on a user-by-user basis for each users home\username folder. However,these permission were not allowed by windows because of the above deny rule i created at the home directory was being inherited and over-riding my allow rule.

The next step for me would be to remove the deny rule at the home directory and for each user folder, add a deny rule for every user it doesn't belong to, and add an allow rule for the one user it does belong to.

However, as my user list gets long, this will become very cumbersome.

Thanks for the help!

© Server Fault or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about sftp

Related posts about ssh

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle