Create SFTP only user and allow access to already created directory
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Create SFTP only user and allow access to already created directory
I want to create a user who can only sftp and cant ssh. There are lot of tutorials for creating sftp only users, Going through one of them article i am able to create a user who can sftp to the server, but all of the articles create a new folder and then allow access to it.
In my case i have already created folder (with lot of imp files in it) to which i want to allow access.
There are commands in the article, I just want to make sure if the same command will work for existing directory ?
What i am up to ??
1) I followed this article http://techinternets.com/chrootjailv6#7
2) I have user ready (mark) who can access /home/jail/mark
3) Now i want to allow him access to /home/admin/domains/domain.com/public_html/access
How can i do it ?
(Note: I am not a server guy, I am programmer, and hardly know unix/linux commands. )
By reading somewhere i ran this commnd
sudo usermod -d /home/admin/domains/domain.com/public_html/assets mark
and then connected through sftp...whooooa he has got root access, i can see
i can see directories like "bin,boot,srv,var,home", this is not what i wanted
Forget the chroot tutorial you found above, everything you need is already provided by OpenSSH. It's built in. You can chroot SFTP users very easily by doing something like the following in sshd_config
Code:
Subsystem sftp internal-sftp
Match Group sftp-only
ChrootDirectory %h
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
That will make any member of the group 'sftp-only' only able to use SFTP inside their home directory. They will not be able to use SSH nor will they be able to see anything outside of the home directory. One gotcha is that their home directory has to be owned by root, but the files and subdirectories can be owned by them.
You can read more about SFTP in the Wikibook and then hopefully the manual pages for sshd_config(5) and sshd(8) will be more clear.
@Turbocapitalist : thnks for the reply, article link you send is really useful, i am going through it but, can you tell me what i did wrong in my above post ? why that newly created user got access to the root folder ?
what command i have to use if i want to edit users home directory ?
Steps #1 - #6 should be unnecessary in a normal Linux distro. You'll get the packages you need directly from the repository instead. It's much easier to manage the system that way. Also with the standard packages, the standard tutorials and HowTos will apply.
Step #7 points to a non-standard location for the SFTP subsystem. If you copied it verbatim, it may not work. The example I pointed to uses the built-in SFTP subsystem.
Steps #8 - #10 should be ok, but jail the user somewhere other than their home directory.
When you say "Jail the user to some other home directory" what does it mean ? Sorry i am not linux user so i hardly know any concept (common technical words used in linux), Do you want me to make changes to the below line
The directory specified by sshd_config's ChrootDirectory has to be owned by root and writable by no one else. The sub-directories and files therein can be owned by your user. So I'd guess you mean something like this:
Notice that the subdirectory public_html is writable by the user and thus is not included in the chrootdirectory directive.
About the concepts, chroot is a way of isolating part of the file system by pretending that the one part is the root (top-level) of the system. The 'jail' is a name for the part that is being isolated.
The same concepts apply in the other systems like the BSDs and OS X.
If you set up an SFTP only chrooted directory then
/home/admin/domains/domain.com/public_html
will appear as
/domain.com/public_html
to the chrooted sftp user during the time they are using SFTP.
To the other users, especially regular system users, it will appear as
/home/admin/domains/domain.com/public_html
So even if the directory is chrooted for certain SFTP users, you as administrator will still be able ot access it as a regular directory with all programs and "commands":
/home/admin/domains/domain.com/public_html
The contents inside that directory are not affected one way or another, just access to the directories is affected.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.