Setting up a sftp server by restricting users to their home directory

Setting up a sftp server by restricting users to their home directory

In these two articles, we’ll take a look at two possible ways to restrict Linux users to their own directory. Recently, I had to setup a SFTP server for regular backup of some data. This article contains the same steps and explanation.

By restricting users to specified directory (such as their home directory) by using chroot, we can ensure that they can’t go and look around system files or other data. Especially when setting up multi user platform where you may have to give access to multiple people/application.

Note: I’ll be using Centos 7 in the tutorial but commands and processes are almost similar in most modern distros.

Restricting sftp users to their home directory

One most common chroot directory is the home directory of user. This will restrict their access to their own home directory and would not allow access to any another system file when using sftp.

Setting up SFTP server

In this section, we’ll configure the SFTP server for the same. First of all, let us create user on our server

useradd wpbackup
passwd wpbackup

Now we need to create a group and assign it to our user. We’ll call it “sftpgroup”

groupadd sftpgroup
usermod -G sftpgroup wpbackup

We’ll now create default folder for user where he can do whatever he wants, let us call it “files” and give it proper permission.

mkdir /home/wpbackup/files
chown wpbackup:sftpgroup /home/wpbackup/files

We need to prevent the user from logging to shell which otherwise defeats the whole purpose of our setup

usermod -s /sbin/nologin wpbackup

We can perform this in one line as well

adduser wpbackup -g sftpgroup -s /sbin/nologin

Next we need to configure SSH to chroot the user. So we’ve got to edit the sshd_config file.

Open /etc/ssh/sshd_config and make the following edits:

1. Comment this line by adding hash (#) before it:

Subsystem sftp /usr/lib/openssh/sftp-server

2. Add the following at the end of the file

Subsystem sftp internal-sftp
Match group sftpgroup
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
# ForceCommand internal-sftp


  • Here %h means the home directory of user, since we cannot specify directory for each user, we use this variable.
  • The last line here will prevent all local users from being able to login to the SSH of server. If you uncomment the last line, users outside this group will still be able to access SSH. I’ve left it commented for now.

3. Let us restart the sshd service but prior make sure that above changes are saved.

service sshd restart

Points to remember

Below, I’ve put together some very useful information which can help you prevent most common errors which can save you hours of troubleshooting.

  • Directory permission of /home should be 755 and owner should be root
    chown root:root /home
    chmod 755 /home
  • Directory permission of /home/user should be 755 and owned by root
    chown root:root /home/wpbackup
    chmod 755 /home/wpbackup
  • Directory permission of /home/user/files can be 700 and must be owned by user:group (i.e. wpbackup:sftpgroup)
    chown wpbackup:sftpgroup /home/wpbackup/files
    chmod 700 /chroot/wpbackup/files

Testing our setup!

$ sftp [email protected]_IP
[email protected]_IP's password: 
Connected to SERVER_IP.
sftp> ls
sftp> pwd
Remote working directory: /
sftp> put testfile
Uploading testfile to /testfile
remote open("/testfile"): Permission denied
sftp> cd files
sftp> put testfile
Uploading testfile to /files/testfile
testfile                                      100%    0     0.0KB/s   00:00

So, our chroot is working perfectly as we expected. Users can only make changes inside of files directory in their home directory and can’t browser any directory but their home.

NextSetting up a sftp server by restricting users to another directory


Related Post


Leave a Reply

Your email address will not be published. Required fields are marked *