CopSSH SFTP -- limit users access to their home directory only
- by bradvido
Let me preface this by saying I've read and followed these instructions at the FAQ many times: http://www.itefix.no/i2/node/37
It does not do what the title claims... It allows every user access to every other user's home directory, as well as access to all subfolders below the copssh installation path.
I'm only using this for SFTP access and I need my users to be sandboxed into only their home directory.
If you know a fool-proof way to lock users down so they can see only their home directory and its subfolders, stop reading now and reply with the solution.
The details:
Here is exactly what i tried as I followed the FAQ. My copSSH installation directory is: C:\Program Files\CopSSH
net localgroup sftp_users /ADD **Create a user group to hold all my SFTP users
cacls c:\ /c /e /t /d sftp_users **For that group, deny access at the top level and all levels below
cacls "C:\Program Files\CopSSH" /c /e /t /r sftp_users **Allow my user group access to the copSSH installation directory and its subdirectories
For each sftp user, I create a new windows user account, then I:
net localgroup sftp_users sftp_user_1 /add **Add my user to the group I've created
Open the activate user wizard for CopSSH, choosing the user, "/bin/sftponly" and
Remove copssh home directory if it exists **Remains checked
Create keys for public key authentication **Remains checked
Create link to user's real home directory **Remains checked
This works, however, every user has access to every other user's home directory as well as the CopSSH root directory....
So I tried denying access for all users to the user home directory:
cacls "C:\Program Files\CopSSH\home" /c /e /t /d sftp_users **Deny access for users to the user home directory
Then I tried adding permissions on a user-by-user basis for each users home\username folder. However,these permission were not allowed by windows because of the above deny rule i created at the home directory was being inherited and over-riding my allow rule.
The next step for me would be to remove the deny rule at the home directory and for each user folder, add a deny rule for every user it doesn't belong to, and add an allow rule for the one user it does belong to.
However, as my user list gets long, this will become very cumbersome.
Thanks for the help!