restrict sftp user to specific folder in linux

How to Restrict SFTP Users to Specific Directory in Linux

SFTP is a popular FTP used by Linux users. It provides a secure file transfer protocol allowing users to securely transfer files to & from their servers. However, it is important to restrict SFTP user access to specific folders on your server to prevent unauthorized access. This will ensure that the user will be able to access only the folders they have permission to access, and not the entire file system. This is especially important in a multi-user and/or shared environment so that a user is unable to view the files & folders of other users, without proper permission. In this article, we will look at how to restrict SFTP users to specific directory in Linux. You can use these steps on all Linux distributions.


How to Restrict SFTP Users to Specific Directory in Linux

Here are the steps to restrict SFTP users to their home or another specific folder. Basically, we need to create a restricted environment using chrootDirectory command. For this purpose we create a new user group sftpgroup and assign it the right permissions and access. There are two ways to restrict SFTP users – to their home folder and to any other specific folder. We will look at both of them. We will restrict user ubuntu to its home folder /home/ubuntu


Restrict Users to Home Folder


1. Create Users Group

Open terminal and run the following command to create sftpgroup group.

$ sudo groupadd sftpgroup

Next add user ubuntu to this group.

$ usermod -G sftpgroup ubuntu

If you want to create a new user and then add it to the sftpgroup, you can do so with the following commands. Here we have created new user test_user

$ sudo adduser test_user -g sftpgroup -s /sbin/nologin
$ sudo passwd test_password
$ sudo usermod -G sftpgroup test_user


2. Modify SSH Configuration File

Open SSH Configuration file in a text editor.

$ sudo vi /etc/ssh/sshd_config

Add the following lines to it.

Subsystem sftp internal-sftp
 
   Match Group sftpgroup
   ChrootDirectory /home
   ForceCommand internal-sftp
   X11Forwarding no
   AllowTcpForwarding no

Save and close the file. Run the following command to restart SSHD service.

$ systemctl restart sshd
OR
$ service sshd restart

If you want to restrict multiple users to same directory, then you must change permission of each user’s home folder so that they are not able to view home folders of other users.

$ sudo chmod 700 /home/ubuntu


3. Verify SSH & SFTP logins

Open terminal and run the following command to verify SSH & SFTP logins. Replace 54.43.32.21 with IP of your SSH server.

$ ssh ubuntu@54.43.32.21

You will be prompted for password. Even if you enter correct password, you will see output as shown.

ubuntu@54.43.32.21's password: 
Could not chdir to home directory /home/ubuntu: No such file or directory
This service allows sftp connections only.
Connection to54.43.32.21 closed.

Now connect to the same server via SFTP.

$ sftp ubuntu@54.43.32.21

On entering the right password, you will be logged into your home folder.

ubuntu@54.43.32.21's password: 
Connected to 54.43.32.21.
sftp>

Run the following commands to get your present working directory and also list the ones you have access to.

sftp> pwd
Remote working directory: /

sftp> ls
ubuntu

As shown above, you have access to /ubuntu folder only. You can cd into this directory and start creating/uploading files & folders to it.


Restrict Users to Specific Folders

In this case, we will look at how to restrict users to specific folders.


1. Create User group

Here too we create a separate user group sftpgroup.

$ sudo groupadd sftpgroup

Next, we create a new directory for SFTP group and assign permissions for root user.

$ sudo mkdir -p /sftpusers/chroot
$ sudo chown root:root /sftpusers/chroot/

Next, we create subfolders for each user so that they can access it fully. Here is an example to create separate folder for user ubuntu.

$ adduser ubuntu -g sftpgroup -s /sbin/nologin
$ passwd ubuntu
$ mkdir /sftpusers/chroot/ubuntu
$ chown ubuntu:sftpgroup /sftpusers/chroot/ubuntu/
$ chmod 700 /sftpusers/chroot/ubuntu/


2. Configure SSH Configuration

Open SSH Configuration file in a test editor.

$ sudo vi /etc/ssh/sshd_config

Add the following lines to it.

Subsystem sftp  internal-sftp
 
Match Group sftpgroup
   ChrootDirectory /sftpusers/chroot/
   ForceCommand internal-sftp
   X11Forwarding no
   AllowTcpForwarding no

Save and exit the file. Restart SSHD service.

$ systemctl restart sshd
OR
$ service sshd restart

You may verify SSH & SFTP logins using steps mentioned in section #3. Verify SSH & SFTP Logins above.

That’s it. In this article, we have learnt how to restrict SFTP users to home directory, and also how to restrict them to another specific folder.

Also read:

How to Create Password Protected ZIP File in Linux
How to Determine File System Type in Linux
How to Password Protect File in Linux
How to Block or Disable User Login in Linux
How to Check Kernel Version in Linux

Leave a Reply

Your email address will not be published.