SFTP does not restrict user to the subscription's directory

Symptoms

• /bin/bash (chrooted) is selected as a shell in Plesk > Domains > example.com > Access to the server over SSH

• The restriction to the /var/www/vhosts/example.com is active in the SSH session:

  # ssh user@192.0.2.2
  bash-4.2$ echo -n 'SFTP restrictions '; [[ -e /httpdocs ]] && echo 'active' || echo 'inactive'
  SFTP restrictions active

• The restriction is not active in the SFTP (it is possible to traverse to the real root):

  

Cause

Subsystem sftp is set to the internal-sftp in the SSHD configuration:

# grep sftp /etc/ssh/sshd_config | grep -v '^#'
Subsystem sftp internal-sftp

Note: internal-sftp is not compatible with the Plesk chrooted shell configuration for SFTP.

Resolution

Switch back to the default STFP subsystem:

1. Connect to the server via SSH

2. Comment out currently existing sftp subsystem configuration:

   Note: A backup will be placed to the /etc/ssh/sshd_config.bkp.

   # sed -i.bkp '/sftp/s/^/#/g' /etc/ssh/sshd_config

3. Add the default binary path to the configuration:

   • Ubuntu/Debian:

     # echo 'Subsystem sftp /usr/lib/openssh/sftp-server' >> /etc/ssh/sshd_config

   • CentOS/RHEL-based:

     # echo 'Subsystem sftp /usr/libexec/openssh/sftp-server' >> /etc/ssh/sshd_config

4. Check the SSHD configuration:

   # sshd -t

   Note: In case no output was returned, the configuration is correct.

5. Reload the SSHD to apply new configuration:

   # service sshd reload

Note: Sometimes, it might be needed to rebuild chroot template to re-apply the settings.