schsh: Restricted file access via SSH
Welcome to schsh, a schroot-based shell.
Its purpose is simple: I want to provide users with scp, sftp and rsync access to my server, such that they can only operate in a certain subdirectory. There are plenty of solutions for this problem out there, and all have one drawback in common: You need to manually set up a bunch of chroots, and copy the files needed for scp, sftp and rsync into them.
I didn't like that, so here is my alternative solution: Use schroot for the chroots. This gets OpenSSH out of the loop when it comes to chroots, instead the relevant users get a special shell (schsh, the schroot shell). That shell essentially calls schroot and runs the desired command inside the chroot. It also provides some very basic command restriction (so that you can allow scp, sftp and rsync and nothing else).
Unfortunately, this still needs a (s)chroot to be set up for each user, but at least no files have to be copied: Instead, schroot is configured to bind-mount the relevant system folders into the user-chroot. Hence no files are duplicated, and system updates to the relevant tools are applied inside the chroots automatically. For additional hardening, these bind-mounts are configured to be read-only and no-setuid, while the only user-writeable folder is no-exec.
Installation is simple: Just run
make install. That will copy some files
/usr/local/bin, and some configuration to
Before you create any users, make sure the directory
/var/lib/schsh and a
You should also set up SSH to disallow port forwarding for users controlled by
sshd_config in the source folder for an appropriate snippet
of OpenSSH configuration.
Before you can set up schsh for a user, you need to create it first:
adduser sandboxed --disabled-password
Any existing user can be "sandboxed" by running:
This does the following:
- Change the user's shell to
- Create a chroot base in
/var/lib/schsh/sandboxedwith some empty subfolders as well as
/etc/groupcontaining only root, this user and the
- Add the user to the
- Set up a schroot called
schsh-sandboxedfor the given folder, and an fstab file in
/etc/schroot/schshused by this schroot
Now if the user logs in via SSH,
/usr/local/bin/schsh will be executed,
and it will lock the user into the schroot
schsh-sandboxed. It will
only see some system folders and a folder called
/data mapped to
/home/sandboxed/data. If you want to give the user access to more
folders, or another folder, simply edit
The only part of schsh writing any files is
makeschsh, so you can change
the users' schroot configurations at your will.
There is not much to configure at the moment. However, there are some
global variables at the top of both
change the base paths, and to tell which commands are allowed.
You can find the sources in the git
repository (also available on
GitHub). They are provided under the
GPLv3. In addition, all files except
schsh-rrsync are provided under the
GPLv2 or (at your
option) any later version of the GPL. See the file
LICENSE-GPL3 for more
If you found a bug, or want to leave a comment, please send me a mail.