*New 11.3 series Release:
2019-10-05: XigmaNAS 11.3.0.4.6928 - released, 11.2 series are soon unsupported!

*New 12.0 series Release:
2019-10-05: XigmaNAS 12.0.0.4.6928 - released!

*New 11.2 series Release:
2019-09-23: XigmaNAS 11.2.0.4.6881 - released!

We really need "Your" help on XigmaNAS https://translations.launchpad.net/xigmanas translations. Please help today!

Producing and hosting XigmaNAS costs money. Please consider donating for our project so that we can continue to offer you the best.
We need your support! eg: PAYPAL

How to "lock" a local user only to their mount point ?

If you are new on this forum and you don't know where to post please use this sub-forum. Somebody will answer your question and/or will move your topic into the right sub-forum.
Forum rules
Set-Up GuideFAQsForum Rules
Post Reply
markmarques
NewUser
NewUser
Posts: 9
Joined: 26 Feb 2018 13:27
Status: Offline

How to "lock" a local user only to their mount point ?

#1

Post by markmarques » 19 Jun 2019 01:57

how to lock a local user to single mount point ?

Using Xigmanas 12.0 beta; with only the ssh service active .

My premiss was that every user were only able to see below their own mount point...

So I have only 2 local users ( user1 and user2 ) with their respectivly /mnt/user1 and /mnt/user2 mount points.
( even with different ZFS pools )...
but if I login with user1 I am able to browse the user2 contents .
Both were not supposed to "know" ( browse or read ) the other contents ...

Tried all the shells available in the Web GUI menu; in the ( old ) FAQ document it reports with "scponly" as the correct option.
But even then if i use filezilla or any other SFTP program i still can see ( browse ) the other directory contents ...
Tried the "nologin" option but then I am not able to access or reach the any of the server

What am I doing incorrectly ?
What options or parameters do I need to activate ?

User avatar
raulfg3
Site Admin
Site Admin
Posts: 4921
Joined: 22 Jun 2012 22:13
Location: Madrid (ESPAÑA)
Contact:
Status: Offline

Re: How to "lock" a local user only to their mount point ?

#2

Post by raulfg3 » 19 Jun 2019 08:33

12.0.0.4 (revision 6766)+OBI on SUPERMICRO X8SIL-F 8GB of ECC RAM, 12x3TB disk in 3 vdev in RaidZ1 = 32TB Raw size only 22TB usable

Wiki
Last changes

User avatar
ms49434
Developer
Developer
Posts: 718
Joined: 03 Sep 2015 18:49
Location: Neuenkirchen-Vörden, Germany - GMT+1
Contact:
Status: Offline

Re: How to "lock" a local user only to their mount point ?

#3

Post by ms49434 » 19 Jun 2019 10:35

markmarques wrote:
19 Jun 2019 01:57
how to lock a local user to single mount point ?

Using Xigmanas 12.0 beta; with only the ssh service active .

My premiss was that every user were only able to see below their own mount point...

So I have only 2 local users ( user1 and user2 ) with their respectivly /mnt/user1 and /mnt/user2 mount points.
( even with different ZFS pools )...
but if I login with user1 I am able to browse the user2 contents .
Both were not supposed to "know" ( browse or read ) the other contents ...

Tried all the shells available in the Web GUI menu; in the ( old ) FAQ document it reports with "scponly" as the correct option.
But even then if i use filezilla or any other SFTP program i still can see ( browse ) the other directory contents ...
Tried the "nologin" option but then I am not able to access or reach the any of the server

What am I doing incorrectly ?
What options or parameters do I need to activate ?
The FreeBSD manual has very detailed information about configuring sshd.
Most likely ChrootDirectory and Match is what you need.
1) XigmaNAS 12.0.0.4 amd64-embedded on a Dell T20 running in a VM on ESXi 6.7U2, 22GB out of 32GB ECC RAM, LSI 9300-8i IT mode in passthrough mode. Pool 1: 2x HGST 10TB, mirrored, SLOG: Samsung 850 Pro, L2ARC: Samsung 850 Pro, Pool 2: 1x Samsung 860 EVO 1TB , services: Samba AD, CIFS/SMB, ftp, ctld, rsync, syncthing, zfs snapshots.
2) XigmaNAS 12.0.0.4 amd64-embedded on a Dell T20 running in a VM on ESXi 6.7U2, 8GB out of 32GB ECC RAM, IBM M1215 crossflashed, IT mode, passthrough mode, 2x HGST 10TB , services: rsync.

User avatar
raulfg3
Site Admin
Site Admin
Posts: 4921
Joined: 22 Jun 2012 22:13
Location: Madrid (ESPAÑA)
Contact:
Status: Offline

Re: How to "lock" a local user only to their mount point ?

#4

Post by raulfg3 » 19 Jun 2019 10:50

sorry, I think that are home user on SMB, not in SSH. I do not read well the post.
12.0.0.4 (revision 6766)+OBI on SUPERMICRO X8SIL-F 8GB of ECC RAM, 12x3TB disk in 3 vdev in RaidZ1 = 32TB Raw size only 22TB usable

Wiki
Last changes

markmarques
NewUser
NewUser
Posts: 9
Joined: 26 Feb 2018 13:27
Status: Offline

Re: How to "lock" a local user only to their mount point ?

#5

Post by markmarques » 20 Jun 2019 12:22

As I wrote in the first post, the users are local and only connect via SSH ( not SMB ) .

Although before I change the sshd_config file ( via the web GUI file editor ) can I have a simple example how to add the ChrootDirectory ? or a link to a previous example ?

Tried some examples via the ssh Web GUI extra options with no sucess ...
Most of them rendered the remote ssh unusable...

User avatar
ms49434
Developer
Developer
Posts: 718
Joined: 03 Sep 2015 18:49
Location: Neuenkirchen-Vörden, Germany - GMT+1
Contact:
Status: Offline

Re: How to "lock" a local user only to their mount point ?

#6

Post by ms49434 » 21 Jun 2019 02:27

markmarques wrote:
20 Jun 2019 12:22
As I wrote in the first post, the users are local and only connect via SSH ( not SMB ) .

Although before I change the sshd_config file ( via the web GUI file editor ) can I have a simple example how to add the ChrootDirectory ? or a link to a previous example ?

Tried some examples via the ssh Web GUI extra options with no sucess ...
Most of them rendered the remote ssh unusable...
Which revision of XigmaNAS 12 beta are you on?
Which installation option did you choose, i.e. embedded, full, zfs on root?
What are the owner, group and permissions settings of /mnt?
What are the owner, group and permissions settings of the home directories?
How is the user setup, i.e. home directory, shell, primary group, additional groups?
How does your sshd configuration look like? Provide a screenshot or the content of /etc/ssh/sshd_config.
What are exactly your requirements?
- Do you want your users to access the server via a ssh terminal session?
- Do you want your users to access their home folders from a file browser/SFTP client?
- What access rights do you want to grant to the user, their group(s) and the rest of the world?
1) XigmaNAS 12.0.0.4 amd64-embedded on a Dell T20 running in a VM on ESXi 6.7U2, 22GB out of 32GB ECC RAM, LSI 9300-8i IT mode in passthrough mode. Pool 1: 2x HGST 10TB, mirrored, SLOG: Samsung 850 Pro, L2ARC: Samsung 850 Pro, Pool 2: 1x Samsung 860 EVO 1TB , services: Samba AD, CIFS/SMB, ftp, ctld, rsync, syncthing, zfs snapshots.
2) XigmaNAS 12.0.0.4 amd64-embedded on a Dell T20 running in a VM on ESXi 6.7U2, 8GB out of 32GB ECC RAM, IBM M1215 crossflashed, IT mode, passthrough mode, 2x HGST 10TB , services: rsync.

markmarques
NewUser
NewUser
Posts: 9
Joined: 26 Feb 2018 13:27
Status: Offline

Re: How to "lock" a local user only to their mount point ?

#7

Post by markmarques » 05 Aug 2019 19:31

Sorry for the delayed answer ...
I will try to answer point by point...

I am using the latest 12.0.0.4.6677 revision of XigmaNAS.
Embedded install
/mnt has "drwxrwxrwx root wheel" attributes

I have two independent ZFS volumes
( /mnt/pool1 for user1 ) ( /mnt/pool2 for user2 )
each Home user Directory has all the "drwxrwxrwx" attributs and permissions ...

Although the differences are :
user1 admin
user2 nogroup

Each user setup was simply done via the WEbGui interface.

Here is the sshd_config :

Code: Select all

 
% cat sshd_config
HostKeyAlgorithms ssh-ed25519,ssh-rsa,ssh-dss
HostKey /var/etc/ssh/ssh_host_rsa_key
SyslogFacility LOCAL3
Protocol 2
UseDNS no
Subsystem sftp /usr/libexec/sftp-server
ChallengeResponseAuthentication yes
Port 21222
PermitRootLogin no
AllowTcpForwarding yes
Compression yes
PasswordAuthentication yes
PubkeyAuthentication no


My idea would be to let the users access only via SFTP ( via SSH ) but do not be able to cross to the other volume ...

User avatar
ms49434
Developer
Developer
Posts: 718
Joined: 03 Sep 2015 18:49
Location: Neuenkirchen-Vörden, Germany - GMT+1
Contact:
Status: Offline

Re: How to "lock" a local user only to their mount point ?

#8

Post by ms49434 » 06 Aug 2019 21:48

just follow the sshd_config manual pages. Ensure folder permissions are set properly. A possible solution could be to add the following into the additional parameters on the sshd configuration page:

Code: Select all

# match maintenance user(s) first
Match User root
# user1
Match User user1
ChrootDirectory /mnt/pool1
ForceCommand internal-sftp
DisableForwarding yes
# user2
Match User user2
ChrootDirectory /mnt/pool2
ForceCommand internal-sftp
DisableForwarding yes
1) XigmaNAS 12.0.0.4 amd64-embedded on a Dell T20 running in a VM on ESXi 6.7U2, 22GB out of 32GB ECC RAM, LSI 9300-8i IT mode in passthrough mode. Pool 1: 2x HGST 10TB, mirrored, SLOG: Samsung 850 Pro, L2ARC: Samsung 850 Pro, Pool 2: 1x Samsung 860 EVO 1TB , services: Samba AD, CIFS/SMB, ftp, ctld, rsync, syncthing, zfs snapshots.
2) XigmaNAS 12.0.0.4 amd64-embedded on a Dell T20 running in a VM on ESXi 6.7U2, 8GB out of 32GB ECC RAM, IBM M1215 crossflashed, IT mode, passthrough mode, 2x HGST 10TB , services: rsync.

Post Reply

Return to “Newbie Questions”