Restrict sftp users to theirs home directory and share folders

I often have to share resources to clients ,  but allowing them to “play” with the entire file system of the web app, might end up in disaster.

That’s why i decided to write this little guide on how to restrict sftp users to theirs home directory and share folders.

Restrict sftp access to home directory

First we need to modify the sshd_config file which contains all the ssh configurations.

sudo nano /etc/ssh/sshd_config

Make sure the following line is enable, otherwise add it your self.

Subsystem sftp internal-sftp  -f AUTH -l VERBOSE

On DigitalOcean I had the following line, which i replaced.

Subsystem sftp /usr/lib/openssh/sftp-server

At the end of the file, add the following, make sure that the /home/myuser folder is owned by root.

This configuration will block the user to ssh connect to the server and restrict her to the home directory myuser.

Match User myuser
       ChrootDirectory /home/myuser
       ForceCommand internal-sftp
       AllowTcpForwarding no
       X11Forwarding no

Now we just need to restart the ssh service

sudo service ssh restart

Share resources.

Normally we would use the ln -s command to do a symlink but when using chroot to restrict access to the home directory, that command won’t work.

Luckily the mount command comes in our help, using the option bind  we are able to link the resource (/var/www/myfolder/var) into the user home directory in the folder import.

cd /home/myuser
mount -o bind /var/www/myfolder/var/import import

Please note that if you reboot the server, you will have to re run this command.

I hope this article will help all of you that are trying to achieve the same with your lovely clients .

If you need that folder to be writable from other users you could use facl:

sudo setfacl -Rm g:user_group:rwx
Restrict sftp users to theirs home directory and share folders 2016-07-13T07:44:45+00:00 Soipo

Comments are closed.

Privacy Preference Center

gdpr

We track users consent by creating a cookie and storing their preferences there.

soiposervices.com

_ga

Used to distinguish users.

soiposervices.com

_gat

Used to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named _dc_gtm_.

soiposervices.com

_gid

Used to distinguish users.

soiposervices.com

lang

Used to understand the locale used by the user and present the right content.

cdn.syndication.twimg.com
Used to understand the locale used by the user and present the right content.

tk_lr

Collection of internal metrics for user activity, used to improve user experience.

soiposervices.com

tk_or

Collection of internal metrics for user activity, used to improve user experience.

soiposervices.com

tk_r3d

Collection of internal metrics for user activity, used to improve user experience.

soiposervices.com

NID

Used to distinguish users.

google.com
Used to distinguish users.

Close your account?

Your account will be closed and all data will be permanently deleted and cannot be recovered. Are you sure?

%d bloggers like this: