Tjyylli

Relationship between strut and baselineskip

What's the polite way to say "I need to urinate"?

Is Diceware more secure than a long passphrase?

Was there a Viking Exchange as well as a Columbian one?

Can an Area of Effect spell cast outside a Prismatic Wall extend inside it?

Philosophical question on logistic regression: why isn't the optimal threshold value trained?

What makes accurate emulation of old systems a difficult task?

How can I practically buy stocks?

Size of electromagnet needed to replicate Earth's magnetic field

Is there really no use for MD5 anymore?

a sore throat vs a strep throat vs strep throat

Why did C use the -> operator instead of reusing the . operator?

acheter à, to mean both "from" and "for"?

Is there a way to generate a list of distinct numbers such that no two subsets ever have an equal sum?

"The cow" OR "a cow" OR "cows" in this context

What's the name of these pliers?

Dynamic SOQL query relationship with field visibility for Users

How come there are so many candidates for the 2020 Democratic party presidential nomination?

I preordered a game on my Xbox while on the home screen of my friend's account. Which of us owns the game?

What is causing the white spot to appear in some of my pictures

A Paper Record is What I Hamper

On The Origin of Dissonant Chords

Providing evidence of Consent of Parents for Marriage by minor in England in early 1800s?

How does Captain America channel this power?

How to enable SFTP but disable shell for root

SFTP with chroot in a folder that can not have root privilegesWhy is SSH/SFTP failing for commands with larger returns?SFTP: Connection closedHow to enable ssh key authentication for root users?How to set the permissions for SFTP user in redhat linux?FreeBSD add password-based ftp authenticationHow to use Filezilla SFTP with root disabled?Changed ssh AllowUsers option and lost access to Ubuntu 14.04SFTP works fine from terminal, but unable to browse to sftp URLAllow users to download files via SFTP, delete files, but not add or modify

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}

0

1

I already have SFTP for root user enabled on my server but I do not want any user to use root to execute any statements on the terminal. They should use their accounts. I have tried setting PermitRootLogin no in the sshd_config but I could not upload files to the server using SFTP. I also tried changing the shell to nologin and false but I cannot upload files.

So my issue is how can I be able to securely FTP files using root but not be able to use root on the terminal via ssh?

linux ssh sftp root sshd

share|improve this question

asked yesterday

Farai MugaviriFarai Mugaviri

11

New contributor

Farai Mugaviri is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I've already asked you to show us your configuration. As based on your comments to your previous mis-post on Stack Overflow, I believe that your description does not really correctly summarize your setup -- My impression is that you use some sudo hack to elevate non-root users to root privileges -- Though even then, the answer by @Eugen still stands.
  
  – Martin Prikryl
  yesterday
  
  
  

  
  
  
  

add a comment | 

0

1

I already have SFTP for root user enabled on my server but I do not want any user to use root to execute any statements on the terminal. They should use their accounts. I have tried setting PermitRootLogin no in the sshd_config but I could not upload files to the server using SFTP. I also tried changing the shell to nologin and false but I cannot upload files.

So my issue is how can I be able to securely FTP files using root but not be able to use root on the terminal via ssh?

linux ssh sftp root sshd

share|improve this question

asked yesterday

Farai MugaviriFarai Mugaviri

11

New contributor

Farai Mugaviri is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I've already asked you to show us your configuration. As based on your comments to your previous mis-post on Stack Overflow, I believe that your description does not really correctly summarize your setup -- My impression is that you use some sudo hack to elevate non-root users to root privileges -- Though even then, the answer by @Eugen still stands.
  
  – Martin Prikryl
  yesterday
  
  
  

  
  
  
  

add a comment | 

I already have SFTP for root user enabled on my server but I do not want any user to use root to execute any statements on the terminal. They should use their accounts. I have tried setting PermitRootLogin no in the sshd_config but I could not upload files to the server using SFTP. I also tried changing the shell to nologin and false but I cannot upload files.

So my issue is how can I be able to securely FTP files using root but not be able to use root on the terminal via ssh?

linux ssh sftp root sshd

share|improve this question

asked yesterday

Farai MugaviriFarai Mugaviri

11

New contributor

Farai Mugaviri is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

asked yesterday

Farai MugaviriFarai Mugaviri

11

New contributor

Farai Mugaviri is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

asked yesterday

Farai MugaviriFarai Mugaviri

11

New contributor

Farai Mugaviri is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked yesterday

Farai MugaviriFarai Mugaviri

11

New contributor

Farai Mugaviri is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked yesterday

Farai MugaviriFarai Mugaviri

11

1 Answer
1

active

oldest

votes

3

You can't. The important part is, that whatever configuration files you change to disallow a root shell, a root SFTP can just overwrite it with a file of his or her chosing or alterntively replace the sftp executable with whatever he or she wants. Even adding a simple cron file to start a reverse shell will do the trick.

In short: root SFTP implies root shell.

I recommend you rethink the need for a root SFTP - most likely some work on file/directory permissions will do the trick much more securely (or a bindfs mount if must be)

share|improve this answer

edited yesterday

answered yesterday

Eugen RieckEugen Rieck

11.5k22429

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

Farai Mugaviri is a new contributor. Be nice, and check out our Code of Conduct.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1429552%2fhow-to-enable-sftp-but-disable-shell-for-root%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

3

You can't. The important part is, that whatever configuration files you change to disallow a root shell, a root SFTP can just overwrite it with a file of his or her chosing or alterntively replace the sftp executable with whatever he or she wants. Even adding a simple cron file to start a reverse shell will do the trick.

In short: root SFTP implies root shell.

I recommend you rethink the need for a root SFTP - most likely some work on file/directory permissions will do the trick much more securely (or a bindfs mount if must be)

share|improve this answer

edited yesterday

answered yesterday

Eugen RieckEugen Rieck

11.5k22429

add a comment | 

3

You can't. The important part is, that whatever configuration files you change to disallow a root shell, a root SFTP can just overwrite it with a file of his or her chosing or alterntively replace the sftp executable with whatever he or she wants. Even adding a simple cron file to start a reverse shell will do the trick.

In short: root SFTP implies root shell.

I recommend you rethink the need for a root SFTP - most likely some work on file/directory permissions will do the trick much more securely (or a bindfs mount if must be)

share|improve this answer

edited yesterday

answered yesterday

Eugen RieckEugen Rieck

11.5k22429

add a comment | 

You can't. The important part is, that whatever configuration files you change to disallow a root shell, a root SFTP can just overwrite it with a file of his or her chosing or alterntively replace the sftp executable with whatever he or she wants. Even adding a simple cron file to start a reverse shell will do the trick.

In short: root SFTP implies root shell.

I recommend you rethink the need for a root SFTP - most likely some work on file/directory permissions will do the trick much more securely (or a bindfs mount if must be)

share|improve this answer

edited yesterday

answered yesterday

Eugen RieckEugen Rieck

11.5k22429

share|improve this answer

edited yesterday

answered yesterday

Eugen RieckEugen Rieck

11.5k22429

answered yesterday

Eugen RieckEugen Rieck

11.5k22429

answered yesterday

Eugen RieckEugen Rieck

11.5k22429