How to setup chroot and bindfs

In order to allow a user to have restrict access to a specific directory we should use the chroot and bindfs setup:
(tested on Centos 7 x64)

1)Create the group/user/directory

groupadd sftponly
mkdir -p /home/sftproot/support/home
useradd -d /home/sftproot/support -g sftponly -G apache -u 2021 -s /sbin/nologin support
chown root.root /home/sftproot/support
chown support:sftponly /home/sftproot/support/home
cd /home/sftproot/support/
mkdir .ssh
touch .ssh/authorized_keys
chmod 0600 .ssh/authorized_keys
chown support .ssh/authorized_keys
chown support .ssh

2)setup the ssh entry into /etc/ssh/sshd_config

Subsystem sftp internal-sftp
Match Group sftponly
ChrootDirectory /home/sftproot/%u
ForceCommand internal-sftp
AllowTcpForwarding no

3)lets setup the ‘directory mount’ using bindfs
we can set specific permissions
yum -y install bindfs

mkdir /home/sftproot/support/home/apache_logs
chown support /home/sftproot/support/home/apache_logs
bindfs –map=root/support -o ro /var/log/httpd /home/sftproot/support/home/apache_logs

bindfs -o ro /opt/app/tomcatA/logs /home/sftproot/support/home/tomcatA_logs
bindfs -o ro /opt/app/tomcatB/logs /home/sftproot/support/home/tomcatB_logs

mkdir /home/sftproot/support/home/webapps_all
chown support /home/sftproot/support/home/webapps_all
bindfs -o ro /opt/app/storage /home/sftproot/support/home/webapps_all

bindfs –map=root/support -o ro /var/log/httpd /home/sftproot/support/home/apache_logs

Leave a Reply

Your email address will not be published. Required fields are marked *