Sftp Chroot and directory permissions within Chroot



I've got a chrooted SFTP setup that, for the most part, is working as
designed. I have the following in my sshd config file:

Match group sftponly
ChrootDirectory /var/chroot/sftp
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

The permissions on /var/chroot/sftp are:

drwxr-xr-x 16 root root 4096 2009-01-21 11:32 var
drwxr-xr-x 4 root root 4096 2009-01-20 09:45 chroot
drwxr-xr-x 7 root root 99 2009-01-22 09:47 sftp

I have sftp accounts set up as such:

user1:x:1002:1004:SFTP Account,,,:/user1:/bin/bash
user2:x:1002:1004:SFTP Account2,,,:/user2:/bin/bash

The chroot itself is working fine. When these accounts sftp, they are
placed in to the directory path /var/chroot/sftp/account_name where they
are able to successfully upload and download. Furthermore, they are
successfully jailed inside /var/chroot/sftp.

I have the permissions set on the home directories as such:
drwxr-x--- 2 user1 root 6 2009-01-21 15:58 user1
drwxr-x--- 2 user2 root 21 2009-01-21 15:54 user2

The problem I'm having is that when user1 (for example) establishes an
sftp session, they can issue the following commands:

shell:~$ sftp user1@sftp_machine
Connecting to sftp_machine...
user1@sftp_machine's password:
sftp> pwd
Remote working directory: /user1
sftp> cd ..
sftp> ls
user1 user2
sftp> cd user2
sftp> pwd
Remote working directory: /user2
sftp> ls
Couldn't get handle: Permission denied
sftp>

Now, thankfully, the 750 permissions are preventing the user from
getting a listing of the contents of the second user's directory. But
why is the first user allowed to enter the second user's directory?

One more thing, this is not just happening with user1. It is possible
with all of the sftp accounts on this machine. Also, if I change the
home directory permissions from 750 to 700, the problem persists.

Finally, I should add that, if pertinent, this machine is running Debian
Lenny and is running Debian's package of openssh -- version 5.1p1

Can anybody explain what I am doing wrong?

Thanks,
Bryan


--
Bryan K. Walton Division of Physiologic Imaging
Systems Administrator University of Iowa Hospitals and Clinics



Relevant Pages