how can I make folder accessible by one user

Question

I’ve followed this tutorial to make apache virtual hosts.

https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-14-04-lts

What I want is to restrict user access to the domain path [ /var/www/domain.com/public_html ].

e.g: user “none” can only operate on this folder { /var/www/devmuath.com/public_html }

he can use SSH - and sftp programs like filezilla

I’m still new on Ubuntu, so please give step by step instructions.

Answer 1

unixynet October 14, 2018

This is a good tutorial on how to do that: https://www.tecmint.com/restrict-sftp-user-home-directories-using-chroot/

Make sure to disable SSH login just like the tutorial shows. Otherwise it’s easy to circumvent the restrictions.

Reply Report

ibrhajjaj October 14, 2018

Thanks for your reply, but Whenever I change the sshd_config

Subsystem sftp internal-sftp

   Match Group sftpgroup
   ChrootDirectory /home
   ForceCommand internal-sftp
   X11Forwarding no
   AllowTcpForwarding no

ChrootDirectory /home or /var/www

I get this error

Oct 14 12:22:29 ibrahim systemd[1]: ssh.service: Control process exited, code=exited status=255
Oct 14 12:22:29 ibrahim systemd[1]: ssh.service: Failed with result 'exit-code'.
Oct 14 12:22:29 ibrahim systemd[1]: Failed to start OpenBSD Secure Shell server.
Oct 14 12:22:30 ibrahim systemd[1]: ssh.service: Service hold-off time over, scheduling restart.
Oct 14 12:22:30 ibrahim systemd[1]: ssh.service: Scheduled restart job, restart counter is at 5.
Oct 14 12:22:30 ibrahim systemd[1]: Stopped OpenBSD Secure Shell server.
Oct 14 12:22:30 ibrahim systemd[1]: ssh.service: Start request repeated too quickly.
Oct 14 12:22:30 ibrahim systemd[1]: ssh.service: Failed with result 'exit-code'.
Oct 14 12:22:30 ibrahim systemd[1]: Failed to start OpenBSD Secure Shell server.

Reply Report

Answer 2

ibrhajjaj October 14, 2018

Thanks for your reply, but Whenever I change the sshd_config

Subsystem sftp internal-sftp

   Match Group sftpgroup
   ChrootDirectory /home
   ForceCommand internal-sftp
   X11Forwarding no
   AllowTcpForwarding no

ChrootDirectory /home or /var/www

I get this error

Oct 14 12:22:29 ibrahim systemd[1]: ssh.service: Control process exited, code=exited status=255
Oct 14 12:22:29 ibrahim systemd[1]: ssh.service: Failed with result 'exit-code'.
Oct 14 12:22:29 ibrahim systemd[1]: Failed to start OpenBSD Secure Shell server.
Oct 14 12:22:30 ibrahim systemd[1]: ssh.service: Service hold-off time over, scheduling restart.
Oct 14 12:22:30 ibrahim systemd[1]: ssh.service: Scheduled restart job, restart counter is at 5.
Oct 14 12:22:30 ibrahim systemd[1]: Stopped OpenBSD Secure Shell server.
Oct 14 12:22:30 ibrahim systemd[1]: ssh.service: Start request repeated too quickly.
Oct 14 12:22:30 ibrahim systemd[1]: ssh.service: Failed with result 'exit-code'.
Oct 14 12:22:30 ibrahim systemd[1]: Failed to start OpenBSD Secure Shell server.

Reply Report

Answer 3

unixynet October 15, 2018

What’s in the error log? Run this right after you attempt a restart of sshd:

journaltctl -xe

Reply Report

ibrhajjaj October 15, 2018

Thanks, It did work.

Now when I tried to log in using SFTP or ssh I get this

Connection reset by 2X.X9.18.X0 port 22
Connection closed

Long error using ssh -vv | sftp -vv

OpenSSH_7.7p1, OpenSSL 1.0.2o  27 Mar 2018
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolve_canonicalize: hostname 2X.X9.18.X0 is address
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 2X.X9.18.X0 [2X.X9.18.X0 ] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/I B R A H I M HA/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/I B R A H I M HA/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/I B R A H I M HA/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/I B R A H I M HA/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/I B R A H I M HA/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/I B R A H I M HA/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/I B R A H I M HA/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/I B R A H I M HA/.ssh/id_ed25519-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/I B R A H I M HA/.ssh/id_xmss type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/I B R A H I M HA/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4
debug1: match: OpenSSH_7.6p1 Ubuntu-4 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 2X.X9.18.X0 :22 as 'mouath'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
 debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
 debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
 debug1: Host '2X.X9.18.X0' is known and matches the ECDSA host key.
debug1: Found key in /c/Users/I B R A H I M HA/.ssh/known_hosts:1
debug2: set_newkeys: mode 1
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 4294967296 blocks
debug2: key: /c/Users/I B R A H I M HA/.ssh/id_rsa (0x0)
debug2: key: /c/Users/I B R A H I M HA/.ssh/id_dsa (0x0)
debug2: key: /c/Users/I B R A H I M HA/.ssh/id_ecdsa (0x0)
debug2: key: /c/Users/I B R A H I M HA/.ssh/id_ed25519 (0x0)
debug2: key: /c/Users/I B R A H I M HA/.ssh/id_xmss (0x0)
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /c/Users/I B R A H I M HA/.ssh/id_rsa
debug1: Trying private key: /c/Users/I B R A H I M HA/.ssh/id_dsa
debug1: Trying private key: /c/Users/I B R A H I M HA/.ssh/id_ecdsa
debug1: Trying private key: /c/Users/I B R A H I M HA/.ssh/id_ed25519
debug1: Trying private key: /c/Users/I B R A H I M HA/.ssh/id_xmss
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
mouath@2X.X9.18.X0's password:
debug2: we sent a password packet, wait for reply
mouath@2X.X9.18.X0's password:
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
Authenticated to 2X.X9.18.X0([2X.X9.18.X0]:22).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
Connection reset by 2X.X9.18.X0  port 22
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
mouath@2X.X9.18.X0's password:
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
mouath@2X.X9.18.X0's password:
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
mouath@2X.X9.18.X0 : Permission denied (publickey,password).
Connection closed

Screenshot from /etc/ssh/sshd_config
https://i.imgur.com/QzNXBSD.png

Reply Report

unixynet October 15, 2018

What’s the /var/log/auth.log file say when the password fails?
Reply Report

Answer 4

ibrhajjaj October 15, 2018

Thanks, It did work.

Now when I tried to log in using SFTP or ssh I get this

Connection reset by 2X.X9.18.X0 port 22
Connection closed

Long error using ssh -vv | sftp -vv

OpenSSH_7.7p1, OpenSSL 1.0.2o  27 Mar 2018
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolve_canonicalize: hostname 2X.X9.18.X0 is address
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 2X.X9.18.X0 [2X.X9.18.X0 ] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/I B R A H I M HA/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/I B R A H I M HA/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/I B R A H I M HA/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/I B R A H I M HA/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/I B R A H I M HA/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/I B R A H I M HA/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/I B R A H I M HA/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/I B R A H I M HA/.ssh/id_ed25519-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/I B R A H I M HA/.ssh/id_xmss type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/I B R A H I M HA/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4
debug1: match: OpenSSH_7.6p1 Ubuntu-4 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 2X.X9.18.X0 :22 as 'mouath'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
 debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
 debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
 debug1: Host '2X.X9.18.X0' is known and matches the ECDSA host key.
debug1: Found key in /c/Users/I B R A H I M HA/.ssh/known_hosts:1
debug2: set_newkeys: mode 1
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 4294967296 blocks
debug2: key: /c/Users/I B R A H I M HA/.ssh/id_rsa (0x0)
debug2: key: /c/Users/I B R A H I M HA/.ssh/id_dsa (0x0)
debug2: key: /c/Users/I B R A H I M HA/.ssh/id_ecdsa (0x0)
debug2: key: /c/Users/I B R A H I M HA/.ssh/id_ed25519 (0x0)
debug2: key: /c/Users/I B R A H I M HA/.ssh/id_xmss (0x0)
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /c/Users/I B R A H I M HA/.ssh/id_rsa
debug1: Trying private key: /c/Users/I B R A H I M HA/.ssh/id_dsa
debug1: Trying private key: /c/Users/I B R A H I M HA/.ssh/id_ecdsa
debug1: Trying private key: /c/Users/I B R A H I M HA/.ssh/id_ed25519
debug1: Trying private key: /c/Users/I B R A H I M HA/.ssh/id_xmss
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
mouath@2X.X9.18.X0's password:
debug2: we sent a password packet, wait for reply
mouath@2X.X9.18.X0's password:
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
Authenticated to 2X.X9.18.X0([2X.X9.18.X0]:22).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
Connection reset by 2X.X9.18.X0  port 22
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
mouath@2X.X9.18.X0's password:
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
mouath@2X.X9.18.X0's password:
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
mouath@2X.X9.18.X0 : Permission denied (publickey,password).
Connection closed

Screenshot from /etc/ssh/sshd_config
https://i.imgur.com/QzNXBSD.png

Reply Report

unixynet October 15, 2018

What’s the /var/log/auth.log file say when the password fails?
Reply Report

Answer 5

ibrhajjaj October 16, 2018

Sorry for being late!

I tried to log in to the server from the user who has the problem and here is the log.

Oct 16 18:42:17 ibrahimh sshd[9947]: Accepted password for root from 2X.X9.18.X0 port 16041 ssh2
Oct 16 18:42:17 ibrahimh sshd[9947]: pam_unix(sshd:session): session opened for user root by (uid=0)
Oct 16 18:42:17 ibrahimh systemd-logind[789]: New session 882 of user root.


Oct 16 18:45:57 ibrahimh sshd[10048]: Accepted password for mouath from 2X.X9.18.X0 port 16394 ssh2
Oct 16 18:45:57 ibrahimh sshd[10048]: pam_unix(sshd:session): session opened for user mouath by (uid=0)
Oct 16 18:45:57 ibrahimh systemd: pam_unix(systemd-user:session): session opened for user mouath by (uid=0)
Oct 16 18:45:57 ibrahimh systemd-logind[789]: New session 883 of user mouath.
Oct 16 18:45:58 ibrahimh sshd[10142]: fatal: bad ownership or modes for chroot directory component "/var/www/"
Oct 16 18:45:58 ibrahimh sshd[10048]: pam_unix(sshd:session): session closed for user mouath
Oct 16 18:45:58 ibrahimh systemd-logind[789]: Removed session 883.

Reply Report

ibrhajjaj October 16, 2018

You are the best thanks for letting me know where my mistakes.

Now I have one more little problem the chown work very good ( “ he can’t delete/add/update ”) but it still shows other folders is there is a way that I can hide them?

in the below Gif, the user has permission for the first folder not and he doesn’t have permission for the rest folders.

https://i.imgur.com/E6TQKTD.gif
Reply Report
- unixynet October 17, 2018
  
  You’ll need to further limit the chroot. So instead of /var/www, set it to /var/www/html to limit it to html/. Otherwise the user will be able to see all readable files and folders under /var/www
  
  Reply Report

Answer 6

ibrhajjaj October 16, 2018

You are the best thanks for letting me know where my mistakes.

Now I have one more little problem the chown work very good ( “ he can’t delete/add/update ”) but it still shows other folders is there is a way that I can hide them?

in the below Gif, the user has permission for the first folder not and he doesn’t have permission for the rest folders.

https://i.imgur.com/E6TQKTD.gif
Reply Report
- unixynet October 17, 2018
  
  You’ll need to further limit the chroot. So instead of /var/www, set it to /var/www/html to limit it to html/. Otherwise the user will be able to see all readable files and folders under /var/www
  
  Reply Report

Related

Question

how can I make folder accessible by one user

Related

Leave a comment

Looking for something else?

Sign up for our newsletter

Related

Question

how can I make folder accessible by one user

Related

Leave a comment

Related

question

cpu from 13% to 100% in one minute

question

Why are snapshots so slow

question

PHP Error Log: authz_core:error - For files that don't exists on my server

question

How to make web service unavailable. As I develop this application, I'd rather not be burning up CPU or access time when not logged in.

Looking for something else?