create standard user sftpusr and group sftponly

sudo vim /etc/ssh/sshd_config
# override default of no subsystems
#Subsystem sftp /usr/libexec/sftp-server

Subsystem sftp internal-sftp -l VERBOSE -f LOCAL3
Match Group sftponly
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
ChrootDirectory /chroot/%u

run command
sudo chroot -u sftpusr /chroot

sudo vim /etc/exports
/Volumes/DATACUBE /Volumes/DATACUBE/Media /Volumes/DATACUBE/Upload -network 10.0.29.0 -mask 255.255.255.0

manual mount
sudo mount -o ro -t nfs 10.0.29.150:/Volumes/DATACUBE/Media /chroot/sftpusr/media/
sudo mount -o rw -t nfs 10.0.29.150:/Volumes/DATACUBE/Upload /chroot/sftpusr/upload

 

auto mount
mkdir /Users/bhr/Library/LaunchAgents/

vim /Users/bhr/Library/LaunchAgents/org.mount.nfs.plist
<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=”1.0″>
<dict>
<key>KeepAlive</key>
<true/>
<key>Label</key>
<string>org.mount.nfs</string>
<key>Program</key>
<string>/Users/bhr/Library/LaunchAgents/mountnfs.sh</string>
<key>RunAtLoad</key>
<true/>
<key>StandardErrorPath</key>
<string>/tmp/com.mmac.startup.stderr</string>
<key>StandardOutPath</key>
<string>/tmp/com.mmac.startup.stdout</string>
</dict>
</plist>

 

vim /Users/bhr/Library/LaunchAgents/mountnfs.sh
#!/bin/bash
mount -o ro -t nfs 10.0.29.150:/Volumes/DATACUBE/Media /chroot/sftpusr/media/
mount -o rw -t nfs 10.0.29.150:/Volumes/DATACUBE/Upload /chroot/sftpusr/upload

showmount
df -H

https://www.bresink.com/osx/NFSManager-de.html

Comments

  1. Alex

    I have a more relevant question to my own situation. If you please, I have a group named sftpgroup and user inside that group. How do I prevent those users from gaining shell access? If give them a null shell they lose sftp access. Do your step resolve this? I looked at man chroot(8) in high Sierra and it would appear to do what I need. Could you Kindly clarify?

    1. admin Article Author

      No need for a special shell, just create a standard macOS user. The chroot command should do the rest.

Leave a Reply

Your email address will not be published. Required fields are marked *