5

I need to provide user access to Ubuntu 14.04 Server, only limited to certain folder. To enjoy the ssh security and not to open up new service and ports (ie, ftp), I'd like to stick with sftp. However, just creating a user and enabling ssh access is too generous - the user then can log on via ssh and see whatever there is that is viewable by everybody.

I need the user to find themselves in a specific directory after login, and, according to their privileges, read/write files, as well as create folders where permitted. No access to any file or directory above the user's "root" folder.

What would be the suggested method to achieve this? Is there some very restricted shell type for this? I tried with

$ usermod -s /bin/false <username>

But that does not let the user to cd into subfolders of their base folder.

terdon
  • 242,166
Passiday
  • 315

1 Answers1

4

If you want to restrict a user to SFTP, you can do it easily in the SSH daemon configuration file /etc/ssh/sshd_config. Put a Match block at the end of the file:

Match User bob
ForceCommand internal-sftp
ChrootDirectory /path/to/root
AllowTCPForwarding no
PermitTunnel no
X11Forwarding no

If the jail directory is the user's home directory as declared in /etc/passwd, you can use ChrootDirectory %h instead of specifying an explicit path. This syntax allows specifying a group of user accounts as SFTP-only — all users whose group as declared in the user database is sftponly will be restricted to SFTP:

Match Group sftponly
ForceCommand internal-sftp
ChrootDirectory %h
AllowTCPForwarding no
PermitTunnel no
X11Forwarding no
Gilles 'SO- stop being evil'
  • 829,060
  • 1
    Is there any way to let the user access folders linked via symbolic link? My sftp users get "Couldn't canonicalize: No such file or directory" error when they try to cd into those. – Passiday Sep 23 '14 at 15:46
  • 1
    @Passiday Make sure that the symbolic links don't go outside the chroot: they should be relative, and not using .. too many times (or absolute, but then they need to start from the root of the chroot, so they'll be invalid outside the chroot). – Gilles 'SO- stop being evil' Sep 23 '14 at 15:48
  • 1
    I see from here that if I want users to venture outside the jail, then I must mount that outside folder. – Passiday Sep 23 '14 at 17:05