github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #2400] Restrict SFTP access to user's $HOME directory (or use blacklist) #1600

New issue

Closed

opened 2026-05-05 08:15:25 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented

2026-05-05 08:15:25 -06:00

Owner

Originally created by @fevangelou on GitHub (Feb 13, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2400

First off, thank you for such a great piece of software.

On a multi-tenant server setup using Ubuntu 18.04, I have managed to restrict SSH access for users so they are not allowed to see certain folder (e.g. /backup, /etc/nginx, /etc/php and so on) by swapping their shell with "/usr/bin/firejail" upon user creation. Aside the aforementioned folders (which are listed in my custom /etc/firejail/disable-common.local), these users cannot navigate to other /home/* folders and processes like top/htop are nicely restricted to these users' processes. So all good on the SSH front.

However, for practical reasons, users must have SFTP access as well. I've found no clue so far as to how/if it's possible to restrict SFTP access similarly to SSH access.

In other words, would it be possible to always enforce /usr/lib/sftp-server or /usr/lib/openssh/sftp-server (whichever is mentioned in /etc/ssh/sshd_config at "Subsystem sftp...") to run via Firejail?

Thanks in advance.

Originally created by @fevangelou on GitHub (Feb 13, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2400 First off, thank you for such a great piece of software. On a multi-tenant server setup using Ubuntu 18.04, I have managed to restrict SSH access for users so they are not allowed to see certain folder (e.g. /backup, /etc/nginx, /etc/php and so on) by swapping their shell with "/usr/bin/firejail" upon user creation. Aside the aforementioned folders (which are listed in my custom /etc/firejail/disable-common.local), these users cannot navigate to other /home/* folders and processes like top/htop are nicely restricted to these users' processes. So all good on the SSH front. However, for practical reasons, users must have SFTP access as well. I've found no clue so far as to how/if it's possible to restrict SFTP access similarly to SSH access. In other words, would it be possible to always enforce /usr/lib/sftp-server or /usr/lib/openssh/sftp-server (whichever is mentioned in /etc/ssh/sshd_config at "Subsystem sftp...") to run via Firejail? Thanks in advance.

gitea-mirror

2026-05-05 08:15:25 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 08:15:28 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Feb 17, 2019):

Why not just set the option to firejail /usr/lib/sftp-server or whatever in /etc/ssh/sshd_config? The other alternative (if you're spawning the server as a system service) would be to edit the init script or systemd unit file to launch the program via firejail.

@chiraag-nataraj commented on GitHub (Feb 17, 2019): Why not just set the option to `firejail /usr/lib/sftp-server` or whatever in `/etc/ssh/sshd_config`? The other alternative (if you're spawning the server as a system service) would be to edit the init script or systemd unit file to launch the program via `firejail`.

gitea-mirror commented

2026-05-05 08:15:28 -06:00

Author

Owner

@Gimly86 commented on GitHub (Mar 4, 2019):

Hello all,

Same question here, I test by launching this command :
/usr/bin/firejail --profile=/etc/firejail/ssh.proile -c /usr/lib/openssh/sftp-server -l INFO

I have an can't connect to my SFTP client with this error:

subsystem request for sftp by user testsftp failed, subsystem not found

Same problem with --noprofile and same problem with this in /etc/ssh/sshd_config :

Subsystem /usr/bin/firejail --profile=/etc/firejail/ssh.profile /usr/lib/openssh/sftp-server -l INFO

What is the best practices to firejail openssh SFTP server, please ?

Thanks in advance for your help !

@Gimly86 commented on GitHub (Mar 4, 2019): Hello all, Same question here, I test by launching this command : `/usr/bin/firejail --profile=/etc/firejail/ssh.proile -c /usr/lib/openssh/sftp-server -l INFO` I have an can't connect to my SFTP client with this error: `subsystem request for sftp by user testsftp failed, subsystem not found` Same problem with --noprofile and same problem with this in /etc/ssh/sshd_config : `Subsystem /usr/bin/firejail --profile=/etc/firejail/ssh.profile /usr/lib/openssh/sftp-server -l INFO` What is the best practices to firejail openssh SFTP server, please ? Thanks in advance for your help !

gitea-mirror commented

2026-05-05 08:15:29 -06:00

Author

Owner

@fevangelou commented on GitHub (Mar 6, 2019):

@chiraag-nataraj Did so, but SFTP completely craps out. Even moved the command to a shell script in case the syntax was causing issues. SFTP breaks entirely.

There must be a better way to do this. I'm surprised SFTP is not covered in the docs, blog posts etc.

@fevangelou commented on GitHub (Mar 6, 2019): @chiraag-nataraj Did so, but SFTP completely craps out. Even moved the command to a shell script in case the syntax was causing issues. SFTP breaks entirely. There must be a better way to do this. I'm surprised SFTP is not covered in the docs, blog posts etc.

gitea-mirror commented

2026-05-05 08:15:30 -06:00

Author

Owner

@rusty-snake commented on GitHub (Sep 10, 2019):

IMHO the best is:

###Subsystem sftp /usr/lib/openssh/sftp-server
# Enable to built-in implementation of SFTP
Subsystem sftp internal-sftp

# This section must be placed at the very end of sshd_config
Match Group exchangefiles
  # Force the connection to use the built-in SFTP support
  ForceCommand internal-sftp
  # Chroot the connection into the home directory of the user being authenticated
  ChrootDirectory %h
…

https://wiki.ubuntuusers.de/SSH/

If you only want to restrict file access, or get I something wrong?

@rusty-snake commented on GitHub (Sep 10, 2019): IMHO the best is: ``` ###Subsystem sftp /usr/lib/openssh/sftp-server # Enable to built-in implementation of SFTP Subsystem sftp internal-sftp # This section must be placed at the very end of sshd_config Match Group exchangefiles # Force the connection to use the built-in SFTP support ForceCommand internal-sftp # Chroot the connection into the home directory of the user being authenticated ChrootDirectory %h … ``` https://wiki.ubuntuusers.de/SSH/ If you only want to restrict file access, or get I something wrong?

gitea-mirror commented

2026-05-05 08:15:31 -06:00

Author

Owner

@rusty-snake commented on GitHub (Oct 13, 2019):

I'm closing here due to inactivity, please fell free to reopen if you have more questions.

@rusty-snake commented on GitHub (Oct 13, 2019): I'm closing here due to inactivity, please fell free to reopen if you have more questions.

gitea-mirror referenced this issue

2026-05-05 08:25:11 -06:00

[GH-ISSUE #2792] Wiki: Frequently Asked Questions #1747

gitea-mirror referenced this issue

2026-05-05 08:25:13 -06:00

[GH-ISSUE #2792] Wiki: Frequently Asked Questions #1747

gitea-mirror referenced this issue

2026-05-05 08:25:13 -06:00

[GH-ISSUE #2792] Wiki: Frequently Asked Questions #1747

gitea-mirror referenced this issue

2026-05-05 08:26:51 -06:00

[GH-ISSUE #2846] Wiki: Guidelines #1778