Jesse Lawson

Bestselling author and open-source evangelist.

Mar 19, 2014 - Tutorials Sysadmin

Restrict SFTP User to their Sites Directory (not just their Home Directory)

If you want to give your web hosting clients SFTP access to specific directories (probably their sites, right?) while keeping them chrooted (jailed) into their home directory, then read on.

The idea here is simple: we want to give our clients SFTP access to our server and then only allow them to access their individual sites. In this article, we’re going to setup a sample user jesse with a jailed SFTP account. This means that this new user “jesse” will only be able to access his home directory.

But wait! We don’t want to restrict the user to their home directory; since they’re web hosting clients, they need to be able to access their web directories, right? So instead of chrooting them to their home directories, shouldn’t we be chrooting them to their site directories?

Not necessarily. The idea here is that we will have new users setup on our Linux server with their /home/user directories because it separates their access point from the web root. Then, we’ll mount their specific web directories to their home account so that they can edit only their sites located on our system. This assumes a few things:

  • You have users who have either one site or multiple sites,
  • You don’t mind customizing your hosting directory a little bit,
  • You’re comfortable with the command line.

If the last point is what’s stopping you, then grab those bootstraps and dig in. There’s nothing like getting your feet wet the hard way!

Step 1: Tell the server to jail SFTP users.

The first thing we’ll do is setup your server to allow for SFTP. Run the following command and see what the output is:

sudo service ssh status

You should see something like <span class="lang:default decode:true crayon-inline ">ssh start/running, process 1234, but if you get something else that says SSH is not installed, then you need to go ahead and install OpenSSH by running the following command:

sudo apt-get install ssh

Once you have SSH installed and running, make sure you rerun the previous command (service ssh status) to ensure you’re up and ready to go.

The default SSH server settings don’t discriminate between web hosting clients and your admin/root account(s), so if you were to create a new user right now and have them login to your server via SFTP, they would be able to backup out of their home directory and snoop around your file system. They wont have permissions to do anything, of course, but the idea of having a web client snooping around my servers rather unsettling (wouldn’t you agree?)

To jail our SFTP users to their home directory, we’re going to do something called Chroot’ing. Technically, we aren’t going to use the chroot command at all; chroot is a way to define the root folder of the system so we can mount and run from different disks. Not exactly what we’re trying to accomplish, right? Well, in a way, we actually are changing the root system for each of our SFTP users by restricting them to their home directories. Now, their root directory is not the server root, but instead, is /home/%username%. So we use chroot here not as a verb to describe what’s happening. (This should help to clarify what a lot of other tutorials around the internet fail to disclose).

We’ll jail all server users by editing our ssh config file and adding a new block of text at the very end. First, let’s open up our SSH configuration file:

sudo nano /etc/ssh/sshd_config

Once it’s open, we need to scroll all the way to the bottom of the file. You can do this very quickly in nano by holding down ctrl and pressing ‘v’, which is the command for “page down” in nano. (See? You learn something new everyday.)

At the bottom, we’ll add the following to the file:

# New rules for group 'jailedsftp'
Match group jailedsftp
       # Change the root of each user to their home directory
       ChrootDirectory /home/%u
       AllowTcpForwarding no
       ForceCommand internal-sftp

What this does is tell our ssh to match the above rules to the usergroup
jailedsftp, the main rule being to change the root directory of our users in this group to /home/<their user name>.

Save this file: press Ctrl+x, then press ‘y’, then press ‘enter.’

Now let’s create the group we’ll use to jail all these user accounts.

If you just have a few users that you’re trying to jail, then using the group method might be a bit cumbersome. You can also set the rules to Match user jesse and setup the permissions that way (this also allows you to manually set a directory, but will take manually editing this file every time you want to add a new user like that).

Step 2: Create a new SFTP user.

Simple: Create a new user in group jailedsftp.

Step 3: Test the new user (can you snoop around?)

Login via the user and run a cd .. command. From there, run dir. Can you see anything above the parent directory? No? Then you’re all set!