I often have to share resources to clients , but allowing them to “play” with the entire file system of the web app, might end up in disaster.
That’s why i decided to write this little guide on how to restrict sftp users to theirs home directory and share folders.
Restrict sftp access to home directory
First we need to modify the sshd_config file which contains all the ssh configurations.
sudo nano /etc/ssh/sshd_config
Make sure the following line is enable, otherwise add it your self.
Subsystem sftp internal-sftp -f AUTH -l VERBOSE
On DigitalOcean I had the following line, which i replaced.
Subsystem sftp /usr/lib/openssh/sftp-server
At the end of the file, add the following, make sure that the /home/myuser folder is owned by root.
This configuration will block the user to ssh connect to the server and restrict her to the home directory myuser.
Match User myuser ChrootDirectory /home/myuser ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding no
Now we just need to restart the ssh service
sudo service ssh restart
Normally we would use the ln -s command to do a symlink but when using chroot to restrict access to the home directory, that command won’t work.
Luckily the mount command comes in our help, using the option bind we are able to link the resource (/var/www/myfolder/var) into the user home directory in the folder import.
cd /home/myuser mount -o bind /var/www/myfolder/var/import import
Please note that if you reboot the server, you will have to re run this command.
I hope this article will help all of you that are trying to achieve the same with your lovely clients .
If you need that folder to be writable from other users you could use facl:
sudo setfacl -Rm g:user_group:rwx