how can I make folder accessible by one user

October 13, 2018 1.3k views
Apache DigitalOcean Configuration Management Ubuntu 18.04

I’ve followed this tutorial to make apache virtual hosts.

https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-14-04-lts

What I want is to restrict user access to the domain path [ /var/www/domain.com/public_html ].

e.g: user “none” can only operate on this folder { /var/www/devmuath.com/public_html }

  • he can use SSH - and sftp programs like filezilla

I’m still new on Ubuntu, so please give step by step instructions.

3 Answers

This is a good tutorial on how to do that: https://www.tecmint.com/restrict-sftp-user-home-directories-using-chroot/

Make sure to disable SSH login just like the tutorial shows. Otherwise it’s easy to circumvent the restrictions.

  • Thanks for your reply, but Whenever I change the sshd_config

    Subsystem sftp internal-sftp
    
       Match Group sftpgroup
       ChrootDirectory /home
       ForceCommand internal-sftp
       X11Forwarding no
       AllowTcpForwarding no
    
    

    ChrootDirectory /home or /var/www

    I get this error

    Oct 14 12:22:29 ibrahim systemd[1]: ssh.service: Control process exited, code=exited status=255
    Oct 14 12:22:29 ibrahim systemd[1]: ssh.service: Failed with result 'exit-code'.
    Oct 14 12:22:29 ibrahim systemd[1]: Failed to start OpenBSD Secure Shell server.
    Oct 14 12:22:30 ibrahim systemd[1]: ssh.service: Service hold-off time over, scheduling restart.
    Oct 14 12:22:30 ibrahim systemd[1]: ssh.service: Scheduled restart job, restart counter is at 5.
    Oct 14 12:22:30 ibrahim systemd[1]: Stopped OpenBSD Secure Shell server.
    Oct 14 12:22:30 ibrahim systemd[1]: ssh.service: Start request repeated too quickly.
    Oct 14 12:22:30 ibrahim systemd[1]: ssh.service: Failed with result 'exit-code'.
    Oct 14 12:22:30 ibrahim systemd[1]: Failed to start OpenBSD Secure Shell server.
    
    

What’s in the error log? Run this right after you attempt a restart of sshd:

journaltctl -xe
  • Thanks, It did work.

    Now when I tried to log in using SFTP or ssh I get this

    Connection reset by 2X.X9.18.X0 port 22
    Connection closed
    
    

    Long error using ssh -vv | sftp -vv

    OpenSSH_7.7p1, OpenSSL 1.0.2o  27 Mar 2018
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug2: resolve_canonicalize: hostname 2X.X9.18.X0 is address
    debug2: ssh_connect_direct: needpriv 0
    debug1: Connecting to 2X.X9.18.X0 [2X.X9.18.X0 ] port 22.
    debug1: Connection established.
    debug1: key_load_public: No such file or directory
    debug1: identity file /c/Users/I B R A H I M HA/.ssh/id_rsa type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /c/Users/I B R A H I M HA/.ssh/id_rsa-cert type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /c/Users/I B R A H I M HA/.ssh/id_dsa type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /c/Users/I B R A H I M HA/.ssh/id_dsa-cert type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /c/Users/I B R A H I M HA/.ssh/id_ecdsa type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /c/Users/I B R A H I M HA/.ssh/id_ecdsa-cert type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /c/Users/I B R A H I M HA/.ssh/id_ed25519 type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /c/Users/I B R A H I M HA/.ssh/id_ed25519-cert type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /c/Users/I B R A H I M HA/.ssh/id_xmss type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /c/Users/I B R A H I M HA/.ssh/id_xmss-cert type -1
    debug1: Local version string SSH-2.0-OpenSSH_7.7
    debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4
    debug1: match: OpenSSH_7.6p1 Ubuntu-4 pat OpenSSH* compat 0x04000000
    debug2: fd 3 setting O_NONBLOCK
    debug1: Authenticating to 2X.X9.18.X0 :22 as 'mouath'
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug2: local client KEXINIT proposal
     debug2: compression ctos: none,zlib@openssh.com,zlib
    debug2: compression stoc: none,zlib@openssh.com,zlib
    debug2: languages ctos:
    debug2: languages stoc:
    debug2: first_kex_follows 0
    debug2: reserved 0
    debug2: peer server KEXINIT proposal
     debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
    debug2: compression stoc: none,zlib@openssh.com
    debug2: languages ctos:
    debug2: languages stoc:
    debug2: first_kex_follows 0
    debug2: reserved 0
    debug1: kex: algorithm: curve25519-sha256
    debug1: kex: host key algorithm: ecdsa-sha2-nistp256
    debug1: kex: server->client cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: none
    debug1: kex: client->server cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: none
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
     debug1: Host '2X.X9.18.X0' is known and matches the ECDSA host key.
    debug1: Found key in /c/Users/I B R A H I M HA/.ssh/known_hosts:1
    debug2: set_newkeys: mode 1
    debug1: rekey after 4294967296 blocks
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug2: set_newkeys: mode 0
    debug1: rekey after 4294967296 blocks
    debug2: key: /c/Users/I B R A H I M HA/.ssh/id_rsa (0x0)
    debug2: key: /c/Users/I B R A H I M HA/.ssh/id_dsa (0x0)
    debug2: key: /c/Users/I B R A H I M HA/.ssh/id_ecdsa (0x0)
    debug2: key: /c/Users/I B R A H I M HA/.ssh/id_ed25519 (0x0)
    debug2: key: /c/Users/I B R A H I M HA/.ssh/id_xmss (0x0)
    debug1: SSH2_MSG_EXT_INFO received
    debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
    debug2: service_accept: ssh-userauth
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey,password
    debug1: Next authentication method: publickey
    debug1: Trying private key: /c/Users/I B R A H I M HA/.ssh/id_rsa
    debug1: Trying private key: /c/Users/I B R A H I M HA/.ssh/id_dsa
    debug1: Trying private key: /c/Users/I B R A H I M HA/.ssh/id_ecdsa
    debug1: Trying private key: /c/Users/I B R A H I M HA/.ssh/id_ed25519
    debug1: Trying private key: /c/Users/I B R A H I M HA/.ssh/id_xmss
    debug2: we did not send a packet, disable method
    debug1: Next authentication method: password
    mouath@2X.X9.18.X0's password:
    debug2: we sent a password packet, wait for reply
    mouath@2X.X9.18.X0's password:
    debug2: we sent a password packet, wait for reply
    debug1: Authentication succeeded (password).
    Authenticated to 2X.X9.18.X0([2X.X9.18.X0]:22).
    debug1: channel 0: new [client-session]
    debug2: channel 0: send open
    debug1: Requesting no-more-sessions@openssh.com
    debug1: Entering interactive session.
    debug1: pledge: network
    Connection reset by 2X.X9.18.X0  port 22
    debug1: Authentications that can continue: publickey,password
    Permission denied, please try again.
    mouath@2X.X9.18.X0's password:
    debug2: we sent a password packet, wait for reply
    debug1: Authentications that can continue: publickey,password
    Permission denied, please try again.
    mouath@2X.X9.18.X0's password:
    debug2: we sent a password packet, wait for reply
    debug1: Authentications that can continue: publickey,password
    debug2: we did not send a packet, disable method
    debug1: No more authentication methods to try.
    mouath@2X.X9.18.X0 : Permission denied (publickey,password).
    Connection closed
    
    

    Screenshot from /etc/ssh/sshd_config
    https://i.imgur.com/QzNXBSD.png

Sorry for being late!

I tried to log in to the server from the user who has the problem and here is the log.

Oct 16 18:42:17 ibrahimh sshd[9947]: Accepted password for root from 2X.X9.18.X0 port 16041 ssh2
Oct 16 18:42:17 ibrahimh sshd[9947]: pam_unix(sshd:session): session opened for user root by (uid=0)
Oct 16 18:42:17 ibrahimh systemd-logind[789]: New session 882 of user root.


Oct 16 18:45:57 ibrahimh sshd[10048]: Accepted password for mouath from 2X.X9.18.X0 port 16394 ssh2
Oct 16 18:45:57 ibrahimh sshd[10048]: pam_unix(sshd:session): session opened for user mouath by (uid=0)
Oct 16 18:45:57 ibrahimh systemd: pam_unix(systemd-user:session): session opened for user mouath by (uid=0)
Oct 16 18:45:57 ibrahimh systemd-logind[789]: New session 883 of user mouath.
Oct 16 18:45:58 ibrahimh sshd[10142]: fatal: bad ownership or modes for chroot directory component "/var/www/"
Oct 16 18:45:58 ibrahimh sshd[10048]: pam_unix(sshd:session): session closed for user mouath
Oct 16 18:45:58 ibrahimh systemd-logind[789]: Removed session 883.

  • You are the best thanks for letting me know where my mistakes.

    Now I have one more little problem the chown work very good ( “ he can’t delete/add/update ”) but it still shows other folders is there is a way that I can hide them?

    in the below Gif, the user has permission for the first folder not and he doesn’t have permission for the rest folders.

    https://i.imgur.com/E6TQKTD.gif

    • You’ll need to further limit the chroot. So instead of /var/www, set it to /var/www/html to limit it to html/. Otherwise the user will be able to see all readable files and folders under /var/www

Have another answer? Share your knowledge.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!