Skip to content

Sftp containment solaris 10

wordpress meta

title: 'SFTP Containment Solaris 10'
date: '2016-10-12T09:13:45-05:00'
status: publish
permalink: /sftp-containment-solaris-10
author: admin
excerpt: ''
type: post
id: 982
category:
    - Solaris
    - SSH
tag: []
post_format: []

Using the SSH match directive it is possible to contain a user to an isolated folder.

This article is how to get this done on Solaris 10. Of course using a more up to date version of Solaris is preferable but in this case Solaris 10 is required for the application workload.

Your mileage may vary and you could probably simplify this slightly. For us our /apps tree can't be owned by root and also we have several apps nodes so we did it this way so all apps nodes see the uploaded files.

For containing end users to an isolated folder the following must be true.

1. SSH version new enough to allow "match" configs. Solaris 10 needs patching for new enough SSHD.

2. In our case SFTP containment to a path under our /apps tree is not possible since the top level need to be root user owned.

3. To accommodate above we create /opt/svcaccxfr and then lofs/bind mount /opt/svcaccxfr -> /apps/ebs11i/appltop/xxnp/11.5.0/interfaces/svcaccxfr

4. Ensure the permissions is correct under the svcaccxfr folder. The uploads folder need to be set correct for user and group and chowned 775. In our case this was set from a DB node which mounts the whole /apps folder as NFSv3. When /apps is NSFv4 like we use on the apps nodes you may have issues setting perms.

5. We also needed to se an exception in our clone process to flag /apps/ebs11i/appltop/xxnp/11.5.0/interfaces/svcaccxfr as root:root. Our clone process was setting the whole /apps recursively to the apps user and group. root ownership is a requirement for SFTP match.

# ssh -V
Sun_SSH_1.1.7, SSH protocols 1.5/2.0, OpenSSL 0x1000113f

# grep svcaccxfr /etc/passwd 
svcaccxfr:x:403:340:Accounting xfr sftp account:/opt/svcaccxfr:/bin/false

# tail -10 /etc/ssh/sshd_config
Match User svcaccxfr
  #ChrootDirectory /apps/ebs11i/appltop/xxnp/11.5.0/interfaces/svcaccxfr
  ChrootDirectory /opt/svcaccxfr
  AllowTCPForwarding no
  X11Forwarding no
  ForceCommand internal-sftp -u 017 -l info

# ls -l /apps/ebs11i/appltop/xxnp/11.5.0/interfaces/svcaccxfr
total 3
drwxrwxr-x   2 ebsppe_a ebsppe         4 Oct 11 14:14 uploads

# ls -l /apps/ebs11i/appltop/xxnp/11.5.0/interfaces/ | grep svcaccxfr
drwxr-xr-x   3 root     root           3 Oct 11 12:38 svcaccxfr

# grep svcacc /etc/vfstab
## Special lofs/bind mount for SFTP containment svcaccxfr
/apps/ebs11i/appltop/xxnp/11.5.0/interfaces/svcaccxfr - /opt/svcaccxfr  lofs    -       yes      -

# ls -l /opt | grep svcaccxfr
drwxr-xr-x   3 root     root           3 Oct 11 12:38 svcaccxfr

# ls -l /opt/svcaccxfr
total 3
drwxrwxr-x   2 ebsppe_a ebsppe         4 Oct 11 14:14 uploads