chroot jail for sftp on non-server 10.6.8

Discussion in 'macOS' started by Bill.the.Cat, Jan 19, 2012.

  1. Bill.the.Cat macrumors member

    Joined:
    Feb 13, 2011
    #1
    I'm trying to set up a machine running non-server Snow Leopard to allow SFTP access for a couple of users. I'd like to restrict them to specific directories on a secondary storage drive. The best set of instructions for doing this I've found are here at macresearch.org

    They're a couple of years old and apparently have the unfortunate side effect of disabling the ability to mount afp volumes.

    Is anyone aware of a better method?

    Thanks!
     
  2. r0k macrumors 68040

    r0k

    Joined:
    Mar 3, 2008
    Location:
    Detroit
    #2
    I red through the directions and they talk about restricting the users to directories on the boot drive, not a secondary drive. Why don't you simply create your chroot jail on the boot drive?
     
  3. Bill.the.Cat, Jan 20, 2012
    Last edited: Jan 20, 2012

    Bill.the.Cat thread starter macrumors member

    Joined:
    Feb 13, 2011
    #3
    Boot drive is too small (80GB nominal) for all of the files. Maybe creating symbolic links to the secondary drive in users' home directories will work?

    If anyone is curious, I'm setting up a centralized backup location for about 10 colleagues to use with GoodSync. We have an old machine with an 80GB boot drive and an external 2TB. Our (university) IT doesn't provide any sort of backup of our machines so we decided to roll our own. For now we are doing it locally using afp for Mac users and smb for Windows users. At some point it would be nice to let people also sync/backup from home and to do that we will need to use SFTP. The standard SSH setup for OS X gives all users access to the entire file structure upon SFTP login.
     
  4. r0k macrumors 68040

    r0k

    Joined:
    Mar 3, 2008
    Location:
    Detroit
    #4
    I seem to remember that chroot jails and sym links don't play well together, but it's certainly worth a try. Your user would be chrooted to a jail on the boot drive which itself turns out to be a sym link to the folder you want them to use on another drive.


    No. Wait. The way they will get there after following the sym link is in /Volumes/other_drive. This means they now have access to everything on your system. Another possibility might be to disable OS X ftpd and use a third party ftpd that comes with its own user list and its own chroot jail.
     
  5. Bill.the.Cat thread starter macrumors member

    Joined:
    Feb 13, 2011
    #5
    Ah, that's an excellent idea, thanks very much. Any suggestions for something cheap/free? A quick search found lots of praise for Rumpus but at $200+ for a license (even including edu discount) it's a little too pricey, we have enough money for a dozen or so GoodSync licenses but nothing left over. We'd likely only have a couple of clients connected at any given time, with most people syncing from their on-campus machines (and thus using afp or smb).

    Again thanks for the good ideas!
     
  6. nDarkness macrumors newbie

    Joined:
    Jan 10, 2012
    #6
    Macports may have an open source solution to suit your needs. It's worth a quick search.

    Sent from my DROID BIONIC using Tapatalk
     
  7. r0k macrumors 68040

    r0k

    Joined:
    Mar 3, 2008
    Location:
    Detroit
  8. Bill.the.Cat thread starter macrumors member

    Joined:
    Feb 13, 2011

Share This Page