Privilege "User - System: Copy files to home directory (chrooted scp)"



  • Good day,

    We are trying to enable a user to connect to pfsense via SFTP (or SCP) and copy a file FROM their home directory.
    In 2.3+, there is an user privilege "User - System: Copy files to home directory (chrooted scp)".

    However, by assigning this by itself and connecting doesn't work; in System log the following appears:

    Dec 3 17:40:19 scponly 67159 failed: /usr/libexec/sftp-server with error No such file or directory(2) (username: testuser(2000), IP/port: xxx.xxx.xxx.xxx 50690 22)

    Ok, so in the privilege there is a cryptic reference to the following:

    Warning: Manual chroot setup required, see /usr/local/etc/rc.d/scponlyc

    I opened the file, but it doesn't explain how to do this chroot setup.

    I found the following information regarding all this:

    Add the following lines to /etc/rc.conf to enable scponly:

    scponlyc_enable (bool):              Set to "NO" by default.

    #                                      Set it to "YES" to enable scponly

    scponlyc_shells (str):                Set to "/etc/shells" by default.

    scponlyc_passwd (str):                Set to "/etc/passwd" by default.

    To setup chroot cage, run the following commands:
      1) cd /usr/local/share/examples/scponly/ && /bin/sh setup_chroot.sh
      2) Set scponlyc_enable="YES" in /etc/rc.conf
      3) Run /usr/local/etc/rc.d/scponly start

    So my question is whether
    a) This is the right way to grant SFTP/SCP-read only access to the home directory and
    b) Whether there is a better way.

    Any help would be appreciated.


Log in to reply