Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Newbie
User Name
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!


  Search this Thread
Old 04-18-2018, 10:35 AM   #1
Registered: Nov 2012
Posts: 97

Rep: Reputation: Disabled
restricted user


Platform Centos 6;

How may I create a new user that can only access an existing directory?

I want to share the public key of this user so if someone connects, only see one directory.
Old 04-18-2018, 12:11 PM   #2
Registered: Nov 2010
Location: Bristol, UK
Distribution: Slackware, FreeBSD
Posts: 836
Blog Entries: 3

Rep: Reputation: 296Reputation: 296Reputation: 296
Are they connecting over ssh/sftp?
If yes, you can set the "ChrootDirectory" value for ssh.

See the first answer on this post:
Old 04-18-2018, 12:58 PM   #3
Registered: Nov 2012
Posts: 97

Original Poster
Rep: Reputation: Disabled
I have ssh access.
I came across to the above link but in my case the directories exist. How to limit the user for not accessing to anything else.
Old 04-18-2018, 01:33 PM   #4
LQ Guru
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 6,770
Blog Entries: 3

Rep: Reputation: 3508Reputation: 3508Reputation: 3508Reputation: 3508Reputation: 3508Reputation: 3508Reputation: 3508Reputation: 3508Reputation: 3508Reputation: 3508Reputation: 3508
The easiest way, as shown in the link posted by coralfang, is to use ForceCommand to lock them into SFTP and ChrootDirectory to lock them into a specific part of the hierarchy.

When you mention that a directory already exists, is that directory owned by root and writable by no-one else? If not you will have to use mount to bind it somewhere.

Say you have the directory /home/hnasr2001/files/ that you want the user 'aaaa' to write to, but nowhere else. First create the mount point and bind mount the existing directory there:

sudo mkdir -p -m 755 /home/locked/files/
sudo chown aaaa:aaaa /home/locked/files/
sudo mount --bind /home/hnasr2001/files/ /home/locked/files/
Be careful with the permissions. The chroot target must not be writable by anyone other than root, though it may be readable by either the group or anyone for that matter. The subdirectory ./files/ does not have any constraints and can be writable by user 'aaaa' or anyone else.

Then add the group and its member(s). The group membership will take effect next log in.

sudo addgroup locked
sudo gpasswd --add aaaa locked
Put the following at the end of sshd_config:

Match Group locked
        ChrootDirectory /home/locked/
        ForceCommand internal-sftp -d ./files/
        PermitTunnel no
        AllowAgentForwarding no
        AllowTcpForwarding no
        X11Forwarding no
Then reload the configuration.

sudo systemctl reload ssh
Upon reloading the SSH service, users in the group 'locked' will only be able to connect via SFTP. When they do connect they will only see the one subdirectory.

See "man sshd_config" and "man sftp-server" for the details on the chroot and forced command.

See "man mount" for the details on the bind mount.
1 members found this post helpful.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
gksu & restricted user bali Linux - Security 1 03-29-2015 02:12 PM
User with Root Access but restricted eyanu Linux - Security 1 10-15-2012 12:00 PM
svn user with very restricted possibilities? khaan Linux - Newbie 2 03-16-2010 01:55 PM
Files restricted to only root user Peter_APIIT Mandriva 18 03-25-2007 03:03 PM
SSH user IP restricted access??? ifm Linux - Security 3 07-21-2002 11:01 AM > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 07:05 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration