1
I am testing an SFTP server. In my sftp configuration, there is the line "Match Group sftponly". That is, from what I understood only users who are from the group 'sftponly' could access the SFTP. But I noticed something worrying. On the same server I have a user named 'john', created to access another service. I mean, he’s not from the sftponly group. But if john opens Filezilla and tries to access SFTP, he can, even if he is not from the 'sftponly' group. And worse! I noticed that in Filezilla it has access (even if only read) to the whole system! Because it is not from the sftponly group, it is not directed to the folder determined in the Chrootdirectory parameter of sftp. It simply drops into your HOME folder and from there you can exit it and view all other system folders. My question: it is possible to limit SFTP only to users who are actually part of the 'sftponly' group, but allow john to continue accessing other services that use the SSH protocol?
Which sftp server is using? By any chance is the
vsftpd?– gfleck
I took a look at the doc and from what I understood the Matchgroup parameter actually serves to create users without shell(SSH) and not the other way around (https://wiki.archlinux.org/index.php/SFTP_chroot), you can use jails for this -> https://linode.com/docs/tools-reference/tools/limiting-access-with-sftp-jails-on-debian-and-Ubuntu/
– Gustavo Fast