How to enable SFTP but disable shell for rootSFTP with chroot in a folder that can not have root...

Relationship between strut and baselineskip

What's the polite way to say "I need to urinate"?

Is Diceware more secure than a long passphrase?

Was there a Viking Exchange as well as a Columbian one?

Can an Area of Effect spell cast outside a Prismatic Wall extend inside it?

Philosophical question on logistic regression: why isn't the optimal threshold value trained?

What makes accurate emulation of old systems a difficult task?

How can I practically buy stocks?

Size of electromagnet needed to replicate Earth's magnetic field

Is there really no use for MD5 anymore?

a sore throat vs a strep throat vs strep throat

Why did C use the -> operator instead of reusing the . operator?

acheter à, to mean both "from" and "for"?

Is there a way to generate a list of distinct numbers such that no two subsets ever have an equal sum?

"The cow" OR "a cow" OR "cows" in this context

What's the name of these pliers?

Dynamic SOQL query relationship with field visibility for Users

How come there are so many candidates for the 2020 Democratic party presidential nomination?

I preordered a game on my Xbox while on the home screen of my friend's account. Which of us owns the game?

What is causing the white spot to appear in some of my pictures

A Paper Record is What I Hamper

On The Origin of Dissonant Chords

Providing evidence of Consent of Parents for Marriage by minor in England in early 1800s?

How does Captain America channel this power?



How to enable SFTP but disable shell for root


SFTP with chroot in a folder that can not have root privilegesWhy is SSH/SFTP failing for commands with larger returns?SFTP: Connection closedHow to enable ssh key authentication for root users?How to set the permissions for SFTP user in redhat linux?FreeBSD add password-based ftp authenticationHow to use Filezilla SFTP with root disabled?Changed ssh AllowUsers option and lost access to Ubuntu 14.04SFTP works fine from terminal, but unable to browse to sftp URLAllow users to download files via SFTP, delete files, but not add or modify






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







0















I already have SFTP for root user enabled on my server but I do not want any user to use root to execute any statements on the terminal. They should use their accounts. I have tried setting PermitRootLogin no in the sshd_config but I could not upload files to the server using SFTP. I also tried changing the shell to nologin and false but I cannot upload files.



So my issue is how can I be able to securely FTP files using root but not be able to use root on the terminal via ssh?










share|improve this question







New contributor




Farai Mugaviri is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





















  • I've already asked you to show us your configuration. As based on your comments to your previous mis-post on Stack Overflow, I believe that your description does not really correctly summarize your setup -- My impression is that you use some sudo hack to elevate non-root users to root privileges -- Though even then, the answer by @Eugen still stands.

    – Martin Prikryl
    yesterday




















0















I already have SFTP for root user enabled on my server but I do not want any user to use root to execute any statements on the terminal. They should use their accounts. I have tried setting PermitRootLogin no in the sshd_config but I could not upload files to the server using SFTP. I also tried changing the shell to nologin and false but I cannot upload files.



So my issue is how can I be able to securely FTP files using root but not be able to use root on the terminal via ssh?










share|improve this question







New contributor




Farai Mugaviri is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





















  • I've already asked you to show us your configuration. As based on your comments to your previous mis-post on Stack Overflow, I believe that your description does not really correctly summarize your setup -- My impression is that you use some sudo hack to elevate non-root users to root privileges -- Though even then, the answer by @Eugen still stands.

    – Martin Prikryl
    yesterday
















0












0








0


1






I already have SFTP for root user enabled on my server but I do not want any user to use root to execute any statements on the terminal. They should use their accounts. I have tried setting PermitRootLogin no in the sshd_config but I could not upload files to the server using SFTP. I also tried changing the shell to nologin and false but I cannot upload files.



So my issue is how can I be able to securely FTP files using root but not be able to use root on the terminal via ssh?










share|improve this question







New contributor




Farai Mugaviri is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












I already have SFTP for root user enabled on my server but I do not want any user to use root to execute any statements on the terminal. They should use their accounts. I have tried setting PermitRootLogin no in the sshd_config but I could not upload files to the server using SFTP. I also tried changing the shell to nologin and false but I cannot upload files.



So my issue is how can I be able to securely FTP files using root but not be able to use root on the terminal via ssh?







linux ssh sftp root sshd






share|improve this question







New contributor




Farai Mugaviri is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question







New contributor




Farai Mugaviri is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question






New contributor




Farai Mugaviri is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked yesterday









Farai MugaviriFarai Mugaviri

11




11




New contributor




Farai Mugaviri is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Farai Mugaviri is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Farai Mugaviri is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.













  • I've already asked you to show us your configuration. As based on your comments to your previous mis-post on Stack Overflow, I believe that your description does not really correctly summarize your setup -- My impression is that you use some sudo hack to elevate non-root users to root privileges -- Though even then, the answer by @Eugen still stands.

    – Martin Prikryl
    yesterday





















  • I've already asked you to show us your configuration. As based on your comments to your previous mis-post on Stack Overflow, I believe that your description does not really correctly summarize your setup -- My impression is that you use some sudo hack to elevate non-root users to root privileges -- Though even then, the answer by @Eugen still stands.

    – Martin Prikryl
    yesterday



















I've already asked you to show us your configuration. As based on your comments to your previous mis-post on Stack Overflow, I believe that your description does not really correctly summarize your setup -- My impression is that you use some sudo hack to elevate non-root users to root privileges -- Though even then, the answer by @Eugen still stands.

– Martin Prikryl
yesterday







I've already asked you to show us your configuration. As based on your comments to your previous mis-post on Stack Overflow, I believe that your description does not really correctly summarize your setup -- My impression is that you use some sudo hack to elevate non-root users to root privileges -- Though even then, the answer by @Eugen still stands.

– Martin Prikryl
yesterday












1 Answer
1






active

oldest

votes


















3














You can't. The important part is, that whatever configuration files you change to disallow a root shell, a root SFTP can just overwrite it with a file of his or her chosing or alterntively replace the sftp executable with whatever he or she wants. Even adding a simple cron file to start a reverse shell will do the trick.



In short: root SFTP implies root shell.



I recommend you rethink the need for a root SFTP - most likely some work on file/directory permissions will do the trick much more securely (or a bindfs mount if must be)






share|improve this answer


























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });






    Farai Mugaviri is a new contributor. Be nice, and check out our Code of Conduct.










    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1429552%2fhow-to-enable-sftp-but-disable-shell-for-root%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    3














    You can't. The important part is, that whatever configuration files you change to disallow a root shell, a root SFTP can just overwrite it with a file of his or her chosing or alterntively replace the sftp executable with whatever he or she wants. Even adding a simple cron file to start a reverse shell will do the trick.



    In short: root SFTP implies root shell.



    I recommend you rethink the need for a root SFTP - most likely some work on file/directory permissions will do the trick much more securely (or a bindfs mount if must be)






    share|improve this answer






























      3














      You can't. The important part is, that whatever configuration files you change to disallow a root shell, a root SFTP can just overwrite it with a file of his or her chosing or alterntively replace the sftp executable with whatever he or she wants. Even adding a simple cron file to start a reverse shell will do the trick.



      In short: root SFTP implies root shell.



      I recommend you rethink the need for a root SFTP - most likely some work on file/directory permissions will do the trick much more securely (or a bindfs mount if must be)






      share|improve this answer




























        3












        3








        3







        You can't. The important part is, that whatever configuration files you change to disallow a root shell, a root SFTP can just overwrite it with a file of his or her chosing or alterntively replace the sftp executable with whatever he or she wants. Even adding a simple cron file to start a reverse shell will do the trick.



        In short: root SFTP implies root shell.



        I recommend you rethink the need for a root SFTP - most likely some work on file/directory permissions will do the trick much more securely (or a bindfs mount if must be)






        share|improve this answer















        You can't. The important part is, that whatever configuration files you change to disallow a root shell, a root SFTP can just overwrite it with a file of his or her chosing or alterntively replace the sftp executable with whatever he or she wants. Even adding a simple cron file to start a reverse shell will do the trick.



        In short: root SFTP implies root shell.



        I recommend you rethink the need for a root SFTP - most likely some work on file/directory permissions will do the trick much more securely (or a bindfs mount if must be)







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited yesterday

























        answered yesterday









        Eugen RieckEugen Rieck

        11.5k22429




        11.5k22429






















            Farai Mugaviri is a new contributor. Be nice, and check out our Code of Conduct.










            draft saved

            draft discarded


















            Farai Mugaviri is a new contributor. Be nice, and check out our Code of Conduct.













            Farai Mugaviri is a new contributor. Be nice, and check out our Code of Conduct.












            Farai Mugaviri is a new contributor. Be nice, and check out our Code of Conduct.
















            Thanks for contributing an answer to Super User!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1429552%2fhow-to-enable-sftp-but-disable-shell-for-root%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Why not use the yoke to control yaw, as well as pitch and roll? Announcing the arrival of...

            Couldn't open a raw socket. Error: Permission denied (13) (nmap)Is it possible to run networking commands...

            VNC viewer RFB protocol error: bad desktop size 0x0I Cannot Type the Key 'd' (lowercase) in VNC Viewer...