|
Mac GeekeryGet your geek on. |
|
blog advertising is good for you
recent popular content
User login
|
tony asks: QuestionHow do you setup/configure SFTP on Tiger Server 10.4.8 so that users are restricted to the folder you specify and are not able to wander freely everywhere. I am able to do this for regular FTP using Pure FTPd but have found nothing help for doing the same using SSH. Thanks a lot for your help. AnswerIt’s hard. It’s doable, but it’s a little bit complicated and involves recompiling OpenSSH and applying a third-party patch to make it work. This is because, as you note, OpenSSH does not have this feature because it wasn’t intended to work in that fashion. That said, someone’s already gone through the trouble of writing up a set of instructions on how to accomplish this so I’d just go over those and see how they work. Now, surely, OpenSSH and chrootssh have had updates since then, so read both sites and find compatible versions before proceeding with it. Now, one could setup a full chroot environment for every user, but real chroot is likely not what you want at all, so I won’t touch that. You want the above. Or Use PermissionsOr, you can do it the really easy way and make a new user for secure communications and add that user to a new group, then give that group no access to roaming around the machine (ACLs are your friend). It’s easier, less hacky, and a slight bit more geeky and proper. First, turn on ACLs on your boot volume and then restart (the volume must be remounted). sudo fsaclctl -p / -e Once you’re back, get the Server Admin Tools from Apple’s download site. Open the disk image and go to Installers/Packages and just install ServerAdminTools (the other is not useful to us and requires a restart). Once done, run Software Update to get the latest version. Open Workgroup Manager and press ⌘D to get the local directory for your machine and then click on the lock below the toolbar on the right and authenticate as the local admin for your machine. Click on Accounts and create whatever accounts you want for this. Do the same for groups and add the members to the groups. Ensure you have at least one group all of these folks share for the next step. Now that you have some people in some groups and one main group you can use to block access, read the section of the chmod manual page that talks about ACLs (in sudo chmod +a "evilgroup deny list,search" /System Now anyone in Be very careful who you lock out of the core OS directories or the system may not start up properly. Never lock out the administrator or any pre-existing group, only users or groups you created.
About Adam Knight
 Author Biography Adam Knight is one of the founders of Mac Geekery and is a geek at heart. Programmer by day, hacker by night, his daily life revolves around the Macintosh platform, which he has been a user and programmer for since the early days of System 7 when his LCII replaced his Apple //c. In-between tech jobs, he’s managed to learn the basics of any web hacker: PHP, MySQL, Perl, Apache, Linux, *BSD, and the intricacies of ./configure —prefix=~/bombshelter/. Today, codepoet is concentrating on blogging again, writing some software for the Mac by himself (including Notae) and for his company (such as Switchblade) and has a few other toys coming out soon. Bug him over AIM or email [link fixed]. |
Should work but still way too time consuming in order to make sure you’ve prevented access to really everything. This is something that hopefully Apple (or someone) will address in order to make it as easy as FTP.
Thank you very much for taking the time to talk about this.
You could initiate your jail and run those services inside the jail. When I say “jail”, I mean chroot jail.
A real chroot, as I touched on, takes a bit of knowledge to setup as a shell home, which is what SCP/SFTP will be using. If patching SSH was too much trouble, then for the sake of this answer, a real chroot would be as well.
Though, I did ponder that solution.