Question

How do I restrict a user to a specific directory?

I am relatively new to unix server admin, so this question may seem dumb. I am running a CentOS 7 droplet. I have created a new user and set the users home directory to /var/www/blablabla/public_html via usermod. I guess I really have two questions:

  1. How do I restrict the user to only be able to do anything within that folder? (ie: that folder is the user’s root and they cannot view/edit anything higher in the directory tree)

  2. Can I restrict a user from connecting via SSH while still allowing them to connect via SCP? And if so, how?

Subscribe
Share

i create user in centos with command promote

  • i create it and it working, but issue is i need to restrict access for root folder, for that what to do that? please give more details for that.

Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

@Maxoplata

1). If you’ll see the mini guide below, you’ll be able to knock this out relatively quickly :-). This will also set you up for #2 as well, if #2 is what you’re wanting.

2). SCP requires SSH, so you wouldn’t be able to allow SCP and deny SSH. If you meant SFTP, then yes, you can deny SSH access and still allow SFTP.

First thing, launch PuTTy, Terminal or your preferred application to access your Droplet and login as either root or your sudo user.

1). First, we need to create a new group for SFTP users. To this group, we add users that will be able to connect to SFTP. Only users added to this group will be able to SFTP in to your server (of course, this does not limit the root user – you do not want to add root to this group, nor modify the root user at all). To do this, we’ll use the following command:

groupadd sftpusers

You can, of course, choose another group name if you’d like. The name of the group doesn’t have to be sftpusers (it could be anything, as long as the group does not already exist).

2). Now that we have our SFTP group, we can use the following command to add new users to that group, thus, once we’re done, allowing them to use SFTP.

useradd -g sftpusers -d /path/to/users/home -s /sbin/nologin username```

-g specifies the group name (referencing the group we just created in #1).

-d specifies the users home directory (i.e. /home/username/htdocs/public_html for example)

-s specifies shell access (/sbin/nologin means SSH is disabled for this user, as it should be)

The last part of the command, username, is the username of the user you’d like to add. So, for example, if I wanted to create a new user by the name of exampleuser, and a directory of /home/exampleuser/htdocs/public_html, I’d run:

useradd -g sftpusers -d /home/exampleuser/htdocs/public_html -s /sbin/nologin exampleuser

3). Verify the user by checking /etc/passwd. The newly created user should appear the bottom of the list.

grep exampleuser /etc/passwd

4). If you’d like to modify an existing user, we can use the following command:

usermod -g sftpusers -d /path/to/users/home -s /sbin/nologin existinguser

Simply change -d to the users home directory and existinguser to the user you wish to modify.

5). We now need to modify our SSH Configuration to allow SFTP (as this is often no enabled by default, at least for users other than root). To do this, we need to load up our SSH configuration file.

sudo nano /etc/ssh/sshd_config

If you see:

Subsystem      sftp    /usr/libexec/openssh/sftp-server

Comment it out like so:

#Subsystem      sftp    /usr/libexec/openssh/sftp-server

If that line does not exist, simply add the following to the end of the file:

Subsystem sftp internal-sftp
    Match group sftpusers
    ChrootDirectory %h
    ForceCommand internal-sftp

What this does is set SSH to allow SFTP, requires that the users usergroup match sftpusers, sets the SFTP directory to their specified home directory (the one we set when we either created or modified the user) and forces the use of the internal SFTP server. This prevents us from having to use another piece of software to handle SFTP.

Now we need to restart SSH by issuing:

sudo service ssh restart

6). Now that we have everything setup, we need to make one final modification to the permissions we have set on our directories (this would need to be done for each user).

For this example, I’ll use the home directory I referenced above

/home/exampleuser/htdocs/public_html

For SFTP to properly work, we need to make sure the home directory is owned by the user and group we just set, everything else needs to be owned by root. So if we set our home directory to the above, we need to run:

chown -R examplegroup:sftpusers /home/exampleuser/htdocs/public_html

You can verify the ownership changing over to /home/exampleuser/htdocs/

cd /home/exampleuser/htdocs/

and running

ls -al

So you should see the following ownership when running the ls -al command:

root:root /home/
root:root /home/exampleuser/
root:root /home/exampleuser/htdocs/

exampleuser:sftpusers /home/exampleuser/htdocs/public_html

If that’s what you see, you should now be able to SFTP in as exampleuser using your Droplet IP and the password you set for this user. If you’ve not yet set a password, you can use the passwd command from the CLI:

passwd exampleuser

and you’ll be prompted to set a password.

If you need any help or are confused by any of the above, just let me know and I’ll be more than happy to help!

how can i restrict user to his home directory only, who is logging through key in filezilla? Please let me know the way

Hello guys,

In the article shows that when typing the command ls -al would show something like this:

root:root /home/ root:root /home/exampleuser/ root:root /home/exampleuser/htdocs/

exampleuser:sftpusers /home/exampleuser/htdocs/public_html

But typing the command shows me this result: https://screenshot.net/pt/1yxyxhx

using the cd command and then the ls -al command: https://screenshot.net/pt/rlnlnf6

As for permission, I used the command:

chown -R exampleuser examplegroup /var/www/my-site.com/wp-content

but the /wp-content folder is already existing and already has the permission www-data:www-data. So I can change it to exampleuser:sftpusers, no problem?

Anyway, I am not able to access SFTP with this new user when placed in the group, ie I have an existing user and he accesses normally, but accesses all folders of the server. Then I create the group, put the user in the group with the command below, and do the rest of the steps shown in the article, but after that the user no longer enters:

usermod -g newgroup -d /var/www/my-site.com/wp-content -s /sbin/nologin existinguser

Can someone help me?

Thanks.

If you do not want to use user home directory eg. /home/exampleuser then ssh cofiguration should be like this Subsystem sftp internal-sftp Match group sftpusers

ChrootDirectory %h

ForceCommand internal-sftp

Restart ssh service then it will work for you.

Hello @Maxoplata I’ve tried to do what you explain in this article, but now I can’t access with root user in my droplet. Here’s the list of commands I’ve executed in Putty:

groupadd sftpusers
useradd -g sftpusers -d /var/www/inovabrazil.com.br/htdocs -s /sbin/nologin evuser
grep evuser /etc/passwd
sudo nano /etc/ssh/sshd_config

I’ve commented this: #Subsystem sftp /usr/lib/openssh/sftp-server And add this after this line: Subsystem sftp internal-sftp Match group sftpusers ChrootDirectory %h ForceCommand internal-sftp*

chown -R evuser:sftpusers /var/www/inovabrazil.com.br/htdocs
cd /var/www/inovabrazil.com.br/htdocs
passwd evuser

Do you know how I can undo these commands? Regards, Patrick PS: I’m using Debian 8.