SFTP is a popular FTP used by Linux users. It provides a secure file transfer protocol allowing users to securely transfer files to & from their servers. However, it is important to restrict SFTP user access to specific folders on your server to prevent unauthorized access. This will ensure that the user will be able to access only the folders they have permission to access, and not the entire file system. This is especially important in a multi-user and/or shared environment so that a user is unable to view the files & folders of other users, without proper permission. In this article, we will look at how to restrict SFTP users to specific directory in Linux. You can use these steps on all Linux distributions.
How to Restrict SFTP Users to Specific Directory in Linux
Here are the steps to restrict SFTP users to their home or another specific folder. Basically, we need to create a restricted environment using chrootDirectory command. For this purpose we create a new user group sftpgroup and assign it the right permissions and access. There are two ways to restrict SFTP users – to their home folder and to any other specific folder. We will look at both of them. We will restrict user ubuntu to its home folder /home/ubuntu
Restrict Users to Home Folder
1. Create Users Group
Open terminal and run the following command to create sftpgroup group.
$ sudo groupadd sftpgroup
Next add user ubuntu to this group.
$ usermod -G sftpgroup ubuntu
If you want to create a new user and then add it to the sftpgroup, you can do so with the following commands. Here we have created new user test_user
$ sudo adduser test_user -g sftpgroup -s /sbin/nologin $ sudo passwd test_password $ sudo usermod -G sftpgroup test_user
2. Modify SSH Configuration File
Open SSH Configuration file in a text editor.
$ sudo vi /etc/ssh/sshd_config
Add the following lines to it.
Subsystem sftp internal-sftp Match Group sftpgroup ChrootDirectory /home ForceCommand internal-sftp X11Forwarding no AllowTcpForwarding no
Save and close the file. Run the following command to restart SSHD service.
$ systemctl restart sshd OR $ service sshd restart
If you want to restrict multiple users to same directory, then you must change permission of each user’s home folder so that they are not able to view home folders of other users.
$ sudo chmod 700 /home/ubuntu
3. Verify SSH & SFTP logins
Open terminal and run the following command to verify SSH & SFTP logins. Replace 54.43.32.21 with IP of your SSH server.
$ ssh ubuntu@54.43.32.21
You will be prompted for password. Even if you enter correct password, you will see output as shown.
ubuntu@54.43.32.21's password: Could not chdir to home directory /home/ubuntu: No such file or directory This service allows sftp connections only. Connection to54.43.32.21 closed.
Now connect to the same server via SFTP.
$ sftp ubuntu@54.43.32.21
On entering the right password, you will be logged into your home folder.
ubuntu@54.43.32.21's password: Connected to 54.43.32.21. sftp>
Run the following commands to get your present working directory and also list the ones you have access to.
sftp> pwd Remote working directory: / sftp> ls ubuntu
As shown above, you have access to /ubuntu folder only. You can cd into this directory and start creating/uploading files & folders to it.
Restrict Users to Specific Folders
In this case, we will look at how to restrict users to specific folders.
1. Create User group
Here too we create a separate user group sftpgroup.
$ sudo groupadd sftpgroup
Next, we create a new directory for SFTP group and assign permissions for root user.
$ sudo mkdir -p /sftpusers/chroot $ sudo chown root:root /sftpusers/chroot/
Next, we create subfolders for each user so that they can access it fully. Here is an example to create separate folder for user ubuntu.
$ adduser ubuntu -g sftpgroup -s /sbin/nologin $ passwd ubuntu $ mkdir /sftpusers/chroot/ubuntu $ chown ubuntu:sftpgroup /sftpusers/chroot/ubuntu/ $ chmod 700 /sftpusers/chroot/ubuntu/
2. Configure SSH Configuration
Open SSH Configuration file in a test editor.
$ sudo vi /etc/ssh/sshd_config
Add the following lines to it.
Subsystem sftp internal-sftp Match Group sftpgroup ChrootDirectory /sftpusers/chroot/ ForceCommand internal-sftp X11Forwarding no AllowTcpForwarding no
Save and exit the file. Restart SSHD service.
$ systemctl restart sshd OR $ service sshd restart
You may verify SSH & SFTP logins using steps mentioned in section #3. Verify SSH & SFTP Logins above.
That’s it. In this article, we have learnt how to restrict SFTP users to home directory, and also how to restrict them to another specific folder.
Also read:
How to Create Password Protected ZIP File in Linux
How to Determine File System Type in Linux
How to Password Protect File in Linux
How to Block or Disable User Login in Linux
How to Check Kernel Version in Linux