Blog Post Image
5 October, 2020

Restrict SFTP users to theirs home directory and share folders

Icon

Luigi Laezza

I often have to share resources with clients,  but allowing them to “play” with the entire file system of the web app, might end up in disaster.

That’s why I decided to write this little guide on how to restrict SFTP users to their home directory and share folders.

RESTRICT SFTP ACCESS TO HOME DIRECTORY
First, we need to modify the sshd_config file which contains all the ssh configurations.

sudo nano /etc/ssh/sshd_config

Make sure the following line is enabled, otherwise add it yourself.

Subsystem sftp internal-sftp  -f AUTH -l VERBOSE

On DigitalOcean I had the following line, which I replaced.

Subsystem sftp /usr/lib/openssh/sftp-server
At the end of the file, add the following, make sure that the /home/myuser folder is owned by root.

This configuration will block the user to ssh connect to the server and restrict her to the home directory myuser.

Match User myuser
       ChrootDirectory /home/myuser
       ForceCommand internal-sftp
       AllowTcpForwarding no
       X11Forwarding no

Now we just need to restart the ssh service

sudo service ssh restart

SHARE RESOURCES.
Normally we would use the ln -s command to do a symlink but when using chroot to restrict access to the home directory, that command won’t work.

Luckily the mount command comes in our help, using the option bind  we are able to link the resource (/var/www/myfolder/var) into the user home directory in the folder import.

cd /home/myuser
mount -o bind /var/www/myfolder/var/import import

Please note that if you reboot the server, you will have to re-run this command.

I hope this article will help all of you that are trying to achieve the same with your lovely clients.

If you need that folder to be writable from other users you could use facl:

sudo setfacl -Rm g:user_group:rwx