Hello - I am trying to create an account on my droplet for SFTP usage only, and for which the user (with account <useraccount>)can only access a specific sub folder and its children. My droplet is running Ubuntu 16.04 with a LAMP stack. I have taken the following steps: created <useraccount> and given it the home directory to which it will need access; assigned <useraccount> to a specific user group <usergroup>; -set up root ownership for the parent of the home directory and all its parents, as well as 755 permissions; set up <useraccount> ownership of the home directory and all the files and directories below it, with 755 permissions. Inserted the following at the end of/etc/ssh/sshd_config: Subsystem sftp internal-sftpMatch USER <useraccount>:<usergroup>ChrootDirectory <home directory>PasswordAuthentication yesForceCommand internal-sftpX11Forwarding noAllowTcpForwarding noPermitTunnel noAllowAgentForwarding n When I test this account with FileZilla, I can log in via SFTP and FileZilla does go to the correct folder. However, there is no restriction to that folder and its children. Instead, I can navigate to any other folder within the droplet. Can someone advise what I may be doing wrong and how I can restrict access to the home directory and its children? Thanks, Michael Trotz

DigitalOcean

- Community
- DigitalOcean
- Community
- DigitalOcean

Question

Chroot not restricting user

Posted on May 27, 2020

Security

Ubuntu 16.04

By michaeltrotz

Hello - I am trying to create an account on my droplet for SFTP usage only, and for which the user (with account <useraccount>)can only access a specific sub folder and its children. My droplet is running Ubuntu 16.04 with a LAMP stack. I have taken the following steps:

created <useraccount> and given it the home directory to which it will need access;
assigned <useraccount> to a specific user group <usergroup>;

-set up root ownership for the parent of the home directory and all its parents, as well as 755 permissions;

set up <useraccount> ownership of the home directory and all the files and directories below it, with 755 permissions.
Inserted the following at the end of/etc/ssh/sshd_config:

Subsystem sftp internal-sftp Match USER <useraccount>:<usergroup> ChrootDirectory <home directory> PasswordAuthentication yes
ForceCommand internal-sftp
X11Forwarding no AllowTcpForwarding no PermitTunnel no AllowAgentForwarding n

When I test this account with FileZilla, I can log in via SFTP and FileZilla does go to the correct folder. However, there is no restriction to that folder and its children. Instead, I can navigate to any other folder within the droplet.
Can someone advise what I may be doing wrong and how I can restrict access to the home directory and its children?

Thanks,

Michael Trotz

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

KFSys

May 27, 2020

Hi @michaeltrotz,

From what you’ve described, everything seems to be configured properly. I’ll add one small detail, try to set the ChrootDirectory to be with permission 700 rather than 755.

Additionally, you might want to try and change the line in your sshd_config