Xftp Tutorial

How to Change Users After Login

Last modified: Friday, March 31, 2017 6:09 AM

The SFTP protocol does not provide a way to switch users after initially logging in. However, there are a couple tricks you can utilize using custom sftp server features to switch users. 

One method is to use the sudo command, and the other is to use the setuid bit of chmod. Both methods require system admin (root) privileges. This tutorial will go over these two methods.

Before beginning, you'll need to note where your sftp-server is placed.

# cat /etc/ssh/sshd_config
grep sftp
Subsystem sftp /usr/libexec/openssh/sftp-server 

Running the sftp-server Using Sudo
  1. Register Users in Sudo.
    Any users who use sudo commands need to be listed in the sudoers file:

    # vi /etc/sudoers
    ...
    # This need to be commented in for Redhat series linux.
    #Defaults    requiretty
    ...
    User_Alias     ADMINISTRATOR = test
    ADMINISTRATOR ALL=(ALL) NOPASSWD:full_path_of_your_sftp_server
    # NOPASSWD is mandatory.
    # sftp-server can be in any other place 
  2. In Xftp, create a session file which includes the custom sftp-server option.
    Session Properties -> General tab -> Protocol: SFTP -> Setup -> Use custom SFTP server : sudo full_path_of_your_sftp_server

    xftp-sudo.PNG

    If you use the '-u' option with sudo, you can switch to any user you'd like

  3. Run the session.

  4. Check if any limited files and directories can be accessed.

Changing File Mode Bits(chmod)

This method does not require you to modify the system sudoers file and is carries less risk than sudo. If the user you'd like to switch to does not have root privileges, you won't require root. In the following example user 'bar' will switch to user 'foo.'

  1. Allow the user who you will switch to, foo, to copy the sftp-server to a desired location.

    [bar@myserver ~] $ whoami
    bar
    [bar@myserver ~] $ cp /usr/libexec/openssh/sftp-server /tmp
    [bar@myserver ~] $ chmod u+s /tmp/sftp-server
    [bar@myserver ~] $ ls -l /tmp/sftp-server
    -rwsr-xr-x. 1 bar bar 83984 Mar 29 18:01 sftp-server
  2. In Xftp, create a session file including the custom sftp-server option. There is no need to use sudo.

    xftp-sudo-setuid.PNG

    xftp-sudo-setuid-2.PNG

  3. The user 'foo' will run the sftp-server in /tmp directory, but the sftp-server will work using the permissions of the user 'bar.'

  4. Save and run the session.

  5. Check if the files and directories limited to the 'bar' user can be accessed.