SOLVED Chroot for SFTP doesn't work? (upd: works, manual included)

A

Aku

Dabbler
Joined
Apr 20, 2023
Messages
28
TrueNAS SCALE 22.12.2. Users, despite chroot being enabled, can rise above their home directory. Yes, they only view the list of files, but this is also unacceptable. I have seen several threads on the forum regarding this, but nowhere is there a solution to this problem.
 
A

Aku

Dabbler
Joined
Apr 20, 2023
Messages
28
Chroot working now! I leave instructions for those who are puzzled by the same question. For chroot to work, you need the following:

  • All folders included in the path to the user’s home folder must be owned by root with rights 755

  • Inside the home folder you need to create a folder in which the user can write (it doesn’t matter whether he will be the owner or the rights will come from the group)

  • In the SSH service settings, in the "Auxiliary Parameters" field, add the following lines:

Match Group sftp​
ChrootDirectory %h​
ForceCommand internal-sftp​
AllowTcpForwarding no​
X11Forwarding no​
Auxiliary_Parameters.png

When the service is restarted, TrueNAS writes these lines to /etc/ssh/sshd_config, which is what we need.​

The first line says that subsequent settings will be applied to a specific group (in my example to "sftp", but you can create any group).​
The second line says that the user's home folder will be used as the chroot directory.​
The third line says that the user will only work in sftp mode.​
The fourth and fifth lines are optional. They disable port forwarding and X's respectively.​


  • Add the required users to the "sftp" group

  • Restart the SSH service


This is all.


As an example:

  • The user "user1" is a member of the group "sftp". Home directory "/mnt/pool1/user1". "/mnt", "/mnt/pool1/" and "/mnt/pool1/user1" have rights 755, the owner is "root" and the group is "root". The folder for writing files is "/mnt/pool1/user1/files" with rights 750, owner "user1", group "root".

  • The user "user2" is a member of the group "sftp". Home directory "/mnt/pool1/user2". "/mnt", "/mnt/pool1/" and "/mnt/pool1/user2" have rights 755, the owner is "root" and the group is "root". The folder for writing files is "/mnt/pool1/user2/files" with rights 750, owner "user2", group "root".

  • For convenience, when connecting, you can immediately set the initial folder to “/files” in your sftp client.
 
Last edited:
You must log in or register to reply here.

Important Announcement for the TrueNAS Community.

The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums.

Related topics on forums.truenas.com for thread: "Chroot for SFTP doesn't work? (upd: works, manual included)"

Similar threads

M
SFTP and chroot
Replies
3
Views
3K
Ericloewe
Ericloewe
U
  • Locked
Chroot for SFTP?
Replies
14
Views
11K
James
J
sindreruud
SOLVED SFTP with chroot and no shell
Replies
19
Views
11K
Fredda
Fredda
C
  • Locked
Chroot for SFTP in FN11?
Replies
14
Views
5K
cchr82
C
U
Dataset content doesn't show up in NFS Share
Replies
9
Views
4K
Whattteva
Whattteva
Top