chrooted sftp backup destination

Environment: Stock install of Centos 7 minimal, SELinux, yum-cron.

Data directory: /mnt/backup. XFS filesystem on a logical volume.

Mount with systemd unit similar to:

[Unit]
 Description = Backup logical volume
[Mount]
 What = UUID="coffee40-dead-beef-1234-ffffff1c2a34"
 Where = /mnt/backup
 Type = xfs
 Options = nodev,nosuid,noexec
[Install]
 WantedBy = multi-user.target

Add the users:

useradd backup-user-1 -d /mnt/backup/backup-user-1/ -s /sbin/nologin
useradd backup-user-2 -d /mnt/backup/backup-user-2/ -s /sbin/nologin

Create users .ssh directory:

mkdir /mnt/backup/.ssh/
chown root:root /mnt/backup/.ssh/

Add users keys:

echo 'ssh-rsa AAAA[...]' > /mnt/backup/.ssh/authorized_keys-backup-user-1
chown backup-user-1:backup-user-1 /mnt/backup/.ssh/authorized_keys-backup-user-1
echo 'ssh-rsa AAAA[...]' > /mnt/backup/.ssh/authorized_keys-backup-user-2
chown backup-user-2:backup-user-2 /mnt/backup/.ssh/authorized_keys-backup-user-2

Apply the following ACL’s recursively to /mnt/backup/.ssh/:

Notes: You could also put all remote users in a group and apply a group ACL instead. Use setfacl –set-file=file to read these acl’s from a file.

# file: .ssh/
# owner: root
# group: root
user::rwx
user:backup-user-1:r-x
user:backup-user-2:r-x
group::r-x
mask::r-x
other::---
default:user::rwx
default:user:backup-user-1:r-x
default:user:backup-user-2:r-x
default:group::r-x
default:mask::r-x
default:other::---

Apply the following ACL’s recursively to /mnt/backup/backup-user-1/:

# file: backup-user-1
# owner: backup-user-1
# group: root
user::rwx
group::---
other::---
default:user::rwx
default:user:backup-user-1:rwx
default:group::---
default:mask::rwx
default:other::---

Apply the following ACL’s recursively to /mnt/backup/backup-user-2/:

# file: backup-user-2
# owner: backup-user-2
# group: root
user::rwx
group::---
other::---
default:user::rwx
default:user:backup-user-2:rwx
default:group::---
default:mask::rwx
default:other::---

SELinux contexts:

semanage fcontext -at root_t /mnt/backup/
semanage fcontext -at home_root_t /mnt/backup/
semanage fcontext -at user_home_dir_t /mnt/backup/backup-user-1
semanage fcontext -at user_home_dir_t /mnt/backup/backup-user-2
semanage fcontext -at ssh_home_t /mnt/backup/.ssh
semanage fcontext -at ssh_home_t /mnt/backup/.ssh/authorized_keys-backup-user-1
semanage fcontext -at ssh_home_t /mnt/backup/.ssh/authorized_keys-backup-user-2
restorecon -Rv /mnt/backup/

SSH config:

# override default of no subsystems
# Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
Match User backup-user-1,backup-user-2
 PasswordAuthentication no
 X11Forwarding no
 AllowTcpForwarding no
 PermitTTY no
 ForceCommand internal-sftp
 ChrootDirectory /mnt/backup/
 AuthorizedKeysFile /mnt/backup/.ssh/authorized_keys-%u
chrooted sftp backup destination