SFTP: Limit SFTP Users Access to a Mount Directory Using chroot Jail

Attaching an additional disk to a virtual machine instance functioning as SFTP server on Google Cloud Platform (GCP) and enhancing data security with chroot jail for restricted SFTP user and group access.

summary card

Table of Contents

· Set Up SFTP Server on GCP
· Attach and Mount Disks to VM Instance
  ∘ 1. Create a Disk
  ∘ 2. Attach an Existing Disk
  ∘ 3. Format the Disk
  ∘ 4. Mount the Disk
· Configure automatic mounting on Restart
· Limit Sftp Users Access to the Mount Directory Using Chroot Jail
  ∘ User
  ∘ Group

Set Up SFTP Server on GCP

Check below story regarding set up SFTP server on GCP.

SFTP: Setting up SFTP on Google Cloud Platform (GCP)

Attach and Mount Disks to VM Instance

1. Create a Disk

create a disk

2. Attach an Existing Disk

• Check partition before attaching the disk

[root@sftp-server ~]# lsblk
NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda      8:0    0   20G  0 disk 
├─sda1   8:1    0  200M  0 part /boot/efi
└─sda2   8:2    0 19.8G  0 part /

• Attach the Existing Disk

attach an existing disk

• Verify partition after attaching the disk

[root@sftp-server ~]# lsblk
NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda      8:0    0   20G  0 disk 
├─sda1   8:1    0  200M  0 part /boot/efi
└─sda2   8:2    0 19.8G  0 part /
sdb      8:16   0   10G  0 disk 

sdb is the device name for the new blank persistent disk.

3. Format the Disk

sudo mkfs.ext4 -m 0 -F -E \
lazy_itable_init=0,lazy_journal_init=0,discard /dev/<DEVICE_NAME>

example:
sudo mkfs.ext4 -m 0 -F -E \
lazy_itable_init=0,lazy_journal_init=0,discard /dev/sdb

output:

mke2fs 1.42.9 (28-Dec-2013)
Discarding device blocks: done                            
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
655360 inodes, 2621440 blocks
0 blocks (0.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=2151677952
80 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks: 
        32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done 

4. Mount the Disk

• Check partition before mountung the disk

[root@sftp-server ~]# lsblk
NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda      8:0    0   20G  0 disk 
├─sda1   8:1    0  200M  0 part /boot/efi
└─sda2   8:2    0 19.8G  0 part /
sdb      8:16   0   10G  0 disk

• Create a new directory as the mount point for the new disk

sudo mkdir -p /mnt/disks/<MOUNT_DIR>

example:
sudo mkdir -p /mnt/disks/test

• Mount the disk to the directory

sudo mount -o discard,defaults /dev/sdb /mnt/disks/<MOUNT_DIR>

example:
sudo mount -o discard,defaults /dev/sdb /mnt/disks/test

• Verify partition after mountung the disk

[root@sftp-server ~]# lsblk
NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda      8:0    0   20G  0 disk 
├─sda1   8:1    0  200M  0 part /boot/efi
└─sda2   8:2    0 19.8G  0 part /
sdb      8:16   0   10G  0 disk /mnt/disks/test

Configure Automatic Mounting on Restart

• Create a backup of your current /etc/fstab file

sudo cp /etc/fstab /etc/fstab.backup

• List the UUID for the list

sudo blkid /dev/<DEVICE_NAME>

example:
sudo blkid /dev/sdb

output:

/dev/sdb: UUID="f62adc9a-6172-49cd-a704-33f79a1af8e2" TYPE="ext4" 

• create an entry in the fstab file to mount the disk using UUID

echo UUID=`sudo blkid -s UUID -o value /dev/sdb` \
/mnt/disks/<MOUNT_DIR> ext4 discard,defaults,nofail 0 2 | \
sudo tee -a /etc/fstab

example: 
echo UUID=`sudo blkid -s UUID -o value /dev/sdb` \
/mnt/disks/test ext4 discard,defaults,nofail 0 2 | \
sudo tee -a /etc/fstab

• Verify the entry in fstab file

cat /etc/fstab

output:

UUID=f62adc9a-6172-49cd-a704-33f79a1af8e2 /mnt/disks/test ext4 discard,defaults,nofail 0 2

Limit SFTP Users Access to the Mount Directory Using Chroot Jail

User

1. Create a new user

sudo adduser <USERNAME> -s /sbin/nologin
sudo passwd <USERNAME>

enter and verify the password 

example:
sudo adduser test-user -s /sbin/nologin
sudo passwd test-user

2. Configure SSH for Sftp Access

Comment out Subsystem sftp /usr/libexec/openssh/sftp-server and add the following new lines.

#Subsystem   sftp /usr/libexec/openssh/sftp-server
Subsystem sftp  internal-sftp
 
Match User test-user
   ChrootDirectory /mnt/disks/
   ForceCommand internal-sftp
   X11Forwarding no
   AllowTcpForwarding no

3. Restart SSH service

sudo systemctl sshd restart

4. Switch ownership and file permissions

• Examine file permissions of the /mnt/disks/ directory

[root@sftp-server ~]# ls -al /mnt/disks/
total 4
drwxr-xr-x. 3 root root   18 Feb  7 23:34 .
drwxr-xr-x. 3 root root   19 Feb  7 23:34 ..
drwxr-xr-x. 3 root root 4096 Feb  7 23:27 test

• Allow user can access the /mnt/disks/ directory fully

sudo chown test-user:root /mnt/disks/test
sudo chmod 700 /mnt/disks/test

• Verify file permissions of the /mnt/disks/ directory

[root@sftp-server ~]# ls -al /mnt/disks/
total 4
drwxr-xr-x. 3 root      root   18 Feb  7 23:34 .
drwxr-xr-x. 3 root      root   19 Feb  7 23:34 ..
drwx------. 3 test-user root 4096 Feb  7 23:27 test

5. Test the test-user

sftp test-user@<VM_EXTERNAL_IP>

enter password

Connected to <VM_EXTERNAL_IP>.
sftp> ls
test  
sftp> pwd
Remote working directory: /
sftp> 

Group

1. Create a new group

sudo groupadd <GROUP_NAME>

example:
sudo groupadd sftpgroup

2. Create a new user to the SFTP group

sudo adduser <USERNAME> -g <GROUP_NAME> -s /sbin/nologin
sudo passwd <USERNAME>

enter and verify the password 

example:
sudo adduser test-group-user -g sftpgroup -s /sbin/nologin
sudo passwd test-group-user

3. Configure SSH for Sftp Access

Comment out Subsystem sftp /usr/libexec/openssh/sftp-server and add the following new lines.

#Subsystem   sftp /usr/libexec/openssh/sftp-server
Subsystem sftp  internal-sftp
 
Match Group sftpgroup
   ChrootDirectory /mnt/disks/
   ForceCommand internal-sftp
   X11Forwarding no
   AllowTcpForwarding no

3. Restart SSH service

sudo systemctl sshd restart

4. Switch ownership and file permissions

• Examine file permissions of the /mnt/disks/ directory

[root@sftp-server ~]# ls -al /mnt/disks/
total 4
drwxr-xr-x. 3 root root   18 Feb  7 23:34 .
drwxr-xr-x. 3 root root   19 Feb  7 23:34 ..
drwxr-xr-x. 3 root root 4096 Feb  7 23:27 test

• Allow users and sftp group can access the /mnt/disks/ directory fully

sudo chown test-group-user:sftpgroup /mnt/disks/test
sudo chmod 770 /mnt/disks/test

• Verify file permissions of the /mnt/disks/ directory

[root@sftp-server ~]# ls -al /mnt/disks/
total 4
drwxr-xr-x. 3 root            root        18 Feb  7 23:34 .
drwxr-xr-x. 3 root            root        19 Feb  7 23:34 ..
drwxrwx---. 3 test-group-user sftpgroup 4096 Feb  8 01:04 test

5. Test the test-group-user

sftp test-group-user@<VM_EXTERNAL_IP>

enter password

Connected to <VM_EXTERNAL_IP>.
sftp> ls
test  
sftp> pwd
Remote working directory: /
sftp>

Reference:

• Add a persistent disk to your VM
• Attach and Mount Disks to VM Instance in Google Cloud
• Linux sftp restrict user to specific directory | setup sftp chroot jail