I am setting up an OpenSSH sFTP server.
I want to create a sFTP Admin user that can navigate all the folders and move them.
My approach is the following:
-
Create the other users (let’s call it user_1) and directory
sudo useradd user1 sudo passwd user1 sudo mkdir -p /var/datadrive/sftp-server/user1/user1 sudo chown user1:user1/var/datadrive/sftp-server/user1/user1 sudo chmod 775 /var/datadrive/sftp-server/user1/user1 -
Add the default group to the folders (so that even if sftp_admin creates a subfolder inside /user1, user1 can still write to it
sudo chmod g+s /var/datadrive/sftp-server/user1/user1 sudo chown :EDPD1 /var/datadrive/sftp-server/user1/user1 -
Add the sftp_admin user:
sudo useradd sftp_admin
sudo passwd sftp_admin
sudo usermod -g user1 sftp_admin
- Add the sshd_config
Match User sftp_admin
ChrootDirectory /var/datadrive/sftp-server/
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
Match Group user1
ChrootDirectory /var/datadrive/sftp-server/user1
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
This works fine. However if I set the group user 1 on the sshd file first it doesnt work (sftp_admin gets jailed to the /user1 folder). I am guessing by taking advantage of the top-down behavior the sftp_admin configs apply first than the group ones so it is rooted to the sftp-server folder.
Is my approach correct? Is there a better way to achieve this?