I wanted to set up a user to be able to sftp to my server without being able to see any of my filesystem. I found a couple somewhat outdated guides and combining them was able to get it working. The following steps assume you are running Ubuntu 8.04 Server with OpenSSH installed and the service started
All the following commands require root privileges so log in as root:
sudo -i
First you need to choose where you want the user's chroot jail should be. I am creating a user called 'sftp' and wanted to create the jail under /home:
mkdir /home/sftp
rssh is a shell that can be used to restrict a user to only use sftp:
aptitude install rssh
Create the user specifying a home directory within the chroot jail and rssh as the user's shell:
useradd -m -d /home/sftp/files -s /usr/bin/rssh sftp
passwd sftp
Alternatively if you are setting this up for an existing user you can modify the line in /etc/passwd corresponding to that user.
You need to make some changes to the rssh configuration file:
vi /etc/rssh.conf
Add a line like the following for your user, see the examples in the configuration file for an explanation of the syntax
user = "sftp:022:00010:/home/sftp"
Next you need to modify the chroot creation script:
vi /usr/share/doc/rssh/examples/mkchroot.sh
Make the following changes to correctly point the script at the sftp-server and rssh_chroot_helper binaries:
sftp_server_path="/usr/libexec/openssh/sftp-server"
sftp_server_path="/usr/lib/openssh/sftp-server"
chroot_helper_path="/usr/libexec/rssh_chroot_helper"
chroot_helper_path="/usr/lib/rssh/rssh_chroot_helper"
Run the script to creat the chroot jail:
/usr/share/doc/rssh/examples/mkchroot.sh /home/sftp
This copies the server's passwd file to the chroot jail, you'll want to edit out any of the users other than the one you are creating the jail for:
vi /home/sftp/etc/passwd
sftp:x:1001:1001::/home/sftp/files:/usr/bin/rssh
One necessary file is missed by the script and needs to be copied over manually:
cp /lib/ld-linux.so.2 /home/sftp/lib/
You'll need to create /dev/null within the chroot jail:
mknod -m 666 /home/sftp/dev/null c 1 3
To set up logging you'll need to edit the syslog config file:
vi /etc/default/syslogd
Make the following change to point syslog at the correct /dev/log location:
SYSLOGD=""
SYSLOGD="-a /home/sftp/dev/log"
Restart the syslog service for the change to take effect:
/etc/init.d/sysklogd restart
Finally you'll have to setuid root for the rssh_chroot_helper binary (note this is for the original one, NOT the one in the chroot jail):
chmod u+s /usr/lib/rssh/rssh_chroot_helper
You can then test to make sure things are working:
sftp sftp@localhost
If it doesn't work check the system log:
tail -f /var/log/syslog
An easy-to-install, database-driven recipe management system, with an easy to use interface for editing and viewing recipes. Includes basic authentication and authorization and an admin panel for editing users and categoriesFirst download rbook from sourceforge.net and transfer the zip file to your Ubuntu server. You will need the program unzip in order to extract the files from the zip file. Assuming you are connected to your Ubuntu server via ssh
sudo aptitude install unzip
You can then unzip the contents of the file:
sudo unzip rbook-2.2.zip -d /var/www/
You should now have rbook files in /var/www/rbook/. You will need to copy the contents of .htaccess and add it to a virtual host file because by default Ubuntu does not allow the use of .htaccess files.
sudo cat .htaccess
You should see something like:
Options +FollowSymLinks +ExecCGI
RewriteEngine On
#RewriteBase /
RewriteRule ^$ index.html [QSA]
RewriteRule ^([^.]+)$ $1.html [QSA]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ dispatch.php [QSA,L]
highlight the entire contents of the file to copy it. We can now create the virtual host file.
sudo vim /etc/apache2/sites-available/rbook.yourdomain.com
You then need to insert the relevant information for your set up plus the information from the .htaccess file. you should end up with something like.
<VirtualHost */>
ServerName rbook.yourdomain.com
DocumentRoot /var/www/rbook/
<Directory /var/www/rbook/>
Options +FollowSymLinks +ExecCGI
RewriteEngine On
#RewriteBase /
RewriteRule ^$ index.html [QSA]
RewriteRule ^([^.]+)$ $1.html [QSA]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ dispatch.php [QSA,L]
</Directory>
</VirtualHost>
You then need to enable the virtual host:
sudo a2ensite rbook.yourdomain.com
You will also need to enable mod rewrite:
sudo a2enmod rewrite
You will then need to reload apache:
sudo /etc/init.d/apache2 reload
You then need to install and set up some pre-requisites for rbook to function correctly:
sudo aptitude install php-pear imagemagick
sudo pear install db
You should now be able to browse to http://rbook.yourdomain.com/install/. After choosing your language you'll get a couple warnings about not being able to write directories or files. This is ok because you don't want rbook to be able to write everything. you can clean up the permissions after the install. The install page is mostly self explanatory, and once you are done it will show you the config.php file you must put in /var/www/rbook/. A couple modifications I needed to make were that "DBPASSWORD" had my root password when it should actually be the same as the "DBUSER" in my case i had made it rbook_admin. I also had an apostrophe in my "APPTITLE" which was then escaped with a '\', I had to remove the '\' because it showed up in the page's header. You may want to look through the other options and set things as you desire.
Next create a folder for images and give the apache user ownership:
sudo mkdir /var/www/rbook/img
sudo chown www-data:www-data /var/www/rbook/img/
Next set the permssions on the template_c directory for the default skin:
sudo chown www-data:www-data /var/www/rbook/skins/default/templates_c/
Check it out and make sure everything is working and you can then delete the install directory.
sudo rm -r /var/www/rbook/install/
Specifically this is for OpenFiler 2.2:
