Setting up a sftp server by restricting users to another directory

Setting up a sftp server by restricting users to another directory

In the previous article, we looked upon how we can restrict the access of sftp user to their home directory. In this article, we’ll restrict their access to another directory which is not their home directory. This process is pretty much same.

Note: I’ll be using Centos 7 in the tutorial but commands and processes are almost similar in most modern distros.

Restricting sftp users to another directory

 

We’ll began by preparing our SFTP server like the previous one. Let us create user for sftp

useradd wpbackup
passwd wpbackup

Now we need to create a group and assign it to our user. We’ll call it “sftpgroup”

groupadd sftpgroup
usermod -G sftpgroup wpbackup

We will now create a directory at our root level which will be used for restricted users. Inside this directory, we’ll have to create users directory and inside users directory, there will be their files directory. Here, permission and owner of the directory is a very important part.

mkdir -p /chroot/wpbackup/files

We can optionally disable the ssh login for the user. This is optional because the user will not be able to access ssh anyways as we’ve changed their chroot directory. They will fail with error similar to:

Could not chdir to home directory /home/wpbackup: No such file or directory
/bin/wpbackup: No such file or directory
Connection to server closed.

But let us do this anyway as safety precaution

usermod -s /sbin/nologin wpbackup

Open /etc/ssh/sshd_config and make the following edits:

1. Comment this line by adding hash (#) before it:

Subsystem sftp /usr/lib/openssh/sftp-server

2. Add the following at the end of the file

Subsystem sftp internal-sftp
Match group sftpgroup
ChrootDirectory /chroot/%u
# ForceCommand internal-sftp

Notes:

  • Like %h was a variable for home directory as explained in previous post, %u is variable for username.
  • Similar to the previous article, last line in this code will prevent ssh access of normal users as well. You can uncomment this if you want to restrict their access as well.

Let us restart the sshd service but prior make sure that above changes are saved.

service sshd restart

Points to remember

Below, I’ve put together some very useful information which can help you prevent most common errors which can save you hours of troubleshooting. This is mostly similar to the previous article as well.

Note: Incorrect directory permission will not allow proper chroot or sftp access.

  • Directory permission of /chroot should be 755 and owner should be root
    chown root:root /chroot
    chmod 755 /chroot
  • Directory permission of /sft/user should be 755 and owned by root
    chown root:root /chroot/wpbackup
    chmod 755 /chroot/wpbackup
  • Directory permission of /home/user/files can be 700 and must be owned by user:group (i.e. wpbackup:sftpgroup)
    chown wpbackup:sftpgroup /chroot/wpbackup/files
    chmod 700 /chroot/wpbackup/files

Testing our setup!

$ sftp [email protected]_IP
[email protected]_IP's password: 
Connected to SERVER_IP.
sftp> ls
files  
sftp> pwd
Remote working directory: /
sftp> put testfile
Uploading testfile to /testfile
remote open("/testfile"): Permission denied
sftp> cd files
sftp> put testfile
Uploading testfile to /files/testfile
testfile                                      100%    0     0.0KB/s   00:00

Again, our chroot user is jailed and unable to access any parent directory above it. Everything works fine now!

Related Post

Share:

Leave a Reply

Your email address will not be published. Required fields are marked *