Use Openssh chroot and ACL to make user to delete files under certain folder

Jephe Wu -  http://linuxtechres.blogspot.com


Objective: let normal user accounts to be able to delete all files under /usr/local/tomcat/files/ directory and chroot to /usr/local/ after sftp.
Environment: CentOS 5.4, openssh 5.X, /usr/local/tomcat and all subdirectories are owned by tomcat:tomcat


Challenges:
1. default CentOS 5.4 doesn't come with the version of Openssh which is able to do chroot.
2. openssh internfal-sftp chroot requires all components of the pathname must be root-owned directories that are not writable by any other user or group, so we cannot chroot to /usr/local/tomcat/files directory, as tomcat is owned by tomcat , not root.
3. /usr/local/tomcat/files is owned by tomcat, not user accounts. So, although we can chroot to /usr/local/, we still need to let user acounts to be able to delete files.


Approach:
1. install the latest openssh 5.X
2. use chroot feature with internal-sftp, user can only use sftp, not shell, and chroot to /usr/local after that since /usr/local is owned by root.
3. use acl feature to set acl to be able to write for folder /usr/local/tomcat/files, but not able to list files under /usr/local/tomcat

Steps:
1. download and install openssh 5.x  (./configure;make;make install to /usr/local/)

or you can check this page to install compiled RPM:

http://linuxadminzone.com/quickly-upgrade-ssh-openssh-in-centos-linux-to-latest-5-5-version/


2. configure /usr/local/etc/sshd_config as follows:
Subsystem    sftp    internal-sftp   [-u 0002]
Match group chrooted
         ChrootDirectory /usr/local/
         X11Forwarding no
         AllowTcpForwarding no
         ForceCommand internal-sftp [-u 0002]


Note: -u 0002 to specify umask for user after login, you can give 
/usr/local as root:sftp -R and 755 -R
/usr/local/XXXX as apache:sftp -R  and chmod 775 -R and chgrp g+ws XXXX -R

so that 2 users can share the work on the project.

Note: if you want to setup a chrooted sftp only environment for all users belongs to sftponly group. You  can do this:


Match   Group sftponly                                                                                                       
        ChrootDirectory %h                                                                                                   
        ForceCommand internal-sftp                                                                                          
 
or

Match   Group sftponly                                                                                                       
        ChrootDirectory /sftponly                                                                                                
        ForceCommand internal-sftp                                                                                           
 
note: You can give root:sftponly permission to /sftponly directory, if you'd like
to restrict users from writing to that folder, don't give write permission for group.
or create a subfolder under /sftponly then give write permission to that subfolder only, instead of parent folder. 
 
3.create user account jephe:
useradd jephe 
groupadd chrooted
usermod jephe -G chrooted

4. mount the partition which the folder /usr/local/ belongs to with acl options


5. set acl for user jephe
setfacl -m u:jephe:x /usr/local/tomcat/
setfacl -m u:jephe:rwx /usr/local/tomcat/files

Note: so, now user jephe is able to delete any files under /usr/local/tomcat/files, but cannot list any other files under /usr/local/tomcat directory. User can configure winscp to direct switch to /tomcat/files(/usr/local becomes / after chroot for user)