Re: locking down sftp directory

Thomas Samson wrote:
"tilopa" <wgilgallon@xxxxxxxxx> writes:

I just installed and configured Cygwin SSH on a Windows2003 DC. We want
to have external clients be able to sftp into this server and be able
to upload and download files from a single particular directory. But
when I test this functionality I can connect to the server and am
dumped into the correct dirctory but I can then uplevel to the cygwin
root directory and have access to everything there. I have searched
quite a bit for a solution and have found nothing, except for
references to chroot which apparently can only be configured on a pure
unix machine. It is puzzleing to me that more businesses would not need
this functionality, and what is the point of secure ftp if you cannot
lock your users into there home directory. Does anyone know of a better
free solution?

Well ... is this functionnality really important to you ?
Files have permissions, so you can limit the users rights. I suppose you
can just modify the read, write and execution right on the various place
where you don't want access (and maybe use a different group for remote
users).

The point of secure ftp is to do secure authenticated file transmission,
not to limit users ... the os handle users and the limits (and cygwin
can handle some kind of limitations, but I would not trust such thing).

And most businesses just setup a unix/linux box to do this kind of
things (that is for the category 'better free solution')

--
Thomas Samson

Thomas and Todd thanks for the response,

I guess I can live with the Cygwin limitation for now, and you are
right it is a Windows limitation ultimately, and least they only have
read permission and cannot really access the root directory. I have
thought about the virtual machine solution, but it somehow does not
seem like a good idea for a production machine, I don't think my
manager would buy it anyway. What I really want to do is a straight
linux box configured with sftp and connect users to my windows dirctory
with samba and pam_ldap and whatever else I need, but I don't have the
time to figure it out for this project. I'll put it togethor for a
solution for future clients. I guess part of my frustration is that I
did not take the time when I had the chance in the past to really learn
Unix, and now I am sorry I did not.
Thanks again for your help.

.