How do I restrict a user to a specific directory?

Posted November 30, 2015 209.8k views
Linux BasicsCentOSSecurity

I am relatively new to unix server admin, so this question may seem dumb. I am running a CentOS 7 droplet. I have created a new user and set the users home directory to /var/www/blablabla/public_html via usermod. I guess I really have two questions:

  1. How do I restrict the user to only be able to do anything within that folder? (ie: that folder is the user’s root and they cannot view/edit anything higher in the directory tree)

  2. Can I restrict a user from connecting via SSH while still allowing them to connect via SCP? And if so, how?

1 comment
  • i create user in centos with command promote

    • i create it and it working, but issue is i need to restrict access for root folder, for that what to do that? please give more details for that.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
5 answers


1). If you’ll see the mini guide below, you’ll be able to knock this out relatively quickly :-). This will also set you up for #2 as well, if #2 is what you’re wanting.

2). SCP requires SSH, so you wouldn’t be able to allow SCP and deny SSH. If you meant SFTP, then yes, you can deny SSH access and still allow SFTP.

First thing, launch PuTTy, Terminal or your preferred application to access your Droplet and login as either root or your sudo user.

1). First, we need to create a new group for SFTP users. To this group, we add users that will be able to connect to SFTP. Only users added to this group will be able to SFTP in to your server (of course, this does not limit the root user – you do not want to add root to this group, nor modify the root user at all). To do this, we’ll use the following command:

groupadd sftpusers

You can, of course, choose another group name if you’d like. The name of the group doesn’t have to be sftpusers (it could be anything, as long as the group does not already exist).

2). Now that we have our SFTP group, we can use the following command to add new users to that group, thus, once we’re done, allowing them to use SFTP.

useradd -g sftpusers -d /path/to/users/home -s /sbin/nologin username```

-g specifies the group name (referencing the group we just created in #1).

-d specifies the users home directory (i.e. /home/username/htdocs/public_html for example)

-s specifies shell access (/sbin/nologin means SSH is disabled for this user, as it should be)

The last part of the command, username, is the username of the user you’d like to add. So, for example, if I wanted to create a new user by the name of exampleuser, and a directory of /home/exampleuser/htdocs/public_html, I’d run:

useradd -g sftpusers -d /home/exampleuser/htdocs/public_html -s /sbin/nologin exampleuser

3). Verify the user by checking /etc/passwd. The newly created user should appear the bottom of the list.

grep exampleuser /etc/passwd

4). If you’d like to modify an existing user, we can use the following command:

usermod -g sftpusers -d /path/to/users/home -s /sbin/nologin existinguser

Simply change -d to the users home directory and existinguser to the user you wish to modify.

5). We now need to modify our SSH Configuration to allow SFTP (as this is often no enabled by default, at least for users other than root). To do this, we need to load up our SSH configuration file.

sudo nano /etc/ssh/sshd_config

If you see:

Subsystem      sftp    /usr/libexec/openssh/sftp-server

Comment it out like so:

#Subsystem      sftp    /usr/libexec/openssh/sftp-server

If that line does not exist, simply add the following to the end of the file:

Subsystem sftp internal-sftp
    Match group sftpusers
    ChrootDirectory %h
    ForceCommand internal-sftp

What this does is set SSH to allow SFTP, requires that the users usergroup match sftpusers, sets the SFTP directory to their specified home directory (the one we set when we either created or modified the user) and forces the use of the internal SFTP server. This prevents us from having to use another piece of software to handle SFTP.

Now we need to restart SSH by issuing:

sudo service ssh restart

6). Now that we have everything setup, we need to make one final modification to the permissions we have set on our directories (this would need to be done for each user).

For this example, I’ll use the home directory I referenced above


For SFTP to properly work, we need to make sure the home directory is owned by the user and group we just set, everything else needs to be owned by root. So if we set our home directory to the above, we need to run:

chown -R examplegroup:sftpusers /home/exampleuser/htdocs/public_html

You can verify the ownership changing over to /home/exampleuser/htdocs/

cd /home/exampleuser/htdocs/

and running

ls -al

So you should see the following ownership when running the ls -al command:

root:root /home/
root:root /home/exampleuser/
root:root /home/exampleuser/htdocs/

exampleuser:sftpusers /home/exampleuser/htdocs/public_html

If that’s what you see, you should now be able to SFTP in as exampleuser using your Droplet IP and the password you set for this user. If you’ve not yet set a password, you can use the passwd command from the CLI:

passwd exampleuser

and you’ll be prompted to set a password.

If you need any help or are confused by any of the above, just let me know and I’ll be more than happy to help!

  • So I:

    • Made the sftpusers group
    • Created a new user with the line you provided (adding it to the sftpusers group and pointing it to the home directory I wanted)
    • Commented out the existing Subsystem line in the sshd_config file
    • Added the new Subsystem line to the end of the sshd_config file
    • Restarted the sshd
    • chowned the home directory
    • Set the password for the new user

    I am unable to connect to SSH or SCP with the new user, which is good. But I am also unable to connect via SFTP. When I connect via SFTP with the new user and the correct password, I get disconnected (the wrong password asks me to enter the password again).

    • @Maxoplata

      When you say “chowned the home directory”, how did you go about it? This is one part that is very specific when it comes to successfully logging in or always being denied.

      If you would, load up your SSH configuration file

      sudo nano /etc/ssh/sshd_config

      And search for:


      If this option is not commented and set to no, and you want to use passwords instead of SSH Keys, then change no to yes and make sure this line is not prefixed with a #. The default option (when commented) is yes, though we can be specific and specify it to make sure and troubleshoot.

      Once the above line looks like:

      PasswordAuthentication yes

      Restart the service:

      service sshd restart

      Now try to login once again. If you’re still receiving an error, we need to take a look at directory permissions to see if something was missed.

      To do this, we can start at /home/ and work our way down. If you would, please post the output of ls -al for each directory, starting with /home/ and moving down to the users defined home directory that you specified when adding the user.

      So if the home directory was:


      You’d run ls -al on each of the following independently:

      • @jtittle

        Sorry. By “chowned the home directory” I meant chowned the user’s home directory with the line you provided:

        chown -R brianjeon:sftpusers /var/www/

        This is what is already in my sshd_config for PasswordAuthentication:

        # To disable tunneled clear text passwords, change to no here!
        #PasswordAuthentication yes
        #PermitEmptyPasswords no
        PasswordAuthentication yes

        For the permissions here are the ls-al lines:

        /var :

        drwxr-xr-x. 21 root root       4096 Nov 30 10:38 var

        /var/www :

        drwxr-xr-x  10 root root 4096 Nov 30 10:55 www


        drwxr-xr-x 3 root root 4096 Nov 29 13:06


        drwxr-xr-x 2 brianjeon sftpusers  4096 Nov 29 17:59 public_html
        • @jtittle

          Is there anything wrong that you can see with my setup?

          • @Maxoplata - My apologizes for the delay, my son has been sick and in turn, passed it on to me it seems (and I was going strong at almost three years of not a single issue! – ah, time to start the counter up as I see how long I can make it after this bout).

            That said, the mini-guide above is what I often use, though I normally use SSH Keys with a passkey on each SSH Key over basic password authentication (simply for better overall security).

            Not using SSH Keys, however, wouldn’t cause this issue.

            What I would do first is run:

            chown -R brianjeon:sftpusers /var/www/

            That’ll recursively change the ownership of all files and directories, starting with ./, so when you run ls -al from /var/www/, you should see the directory as being owned by your user and the sftp users group.

            If the above doesn’t allow you to login, still, please post a copy of your /etc/ssh/sshd_config file (you can remove the port from Port if you’d like).

          • @jtittle

            Sorry to hear about that. I am replying here because it won’t let me reply any deeper than your last post, lol.

            Anyway. the /var/www/ IS the home dir, not the one above it. Either way, I tried that and still was unable to login via sftp (still has the same behavior as described before).

            Here is the sshd_config:

  • I tried to use your method but failed to sftp by the exampleuser and corrent passwd.
    Finally, I changed the value of ChrootDirectory from ’%h’ to the absolut parent path of exampleuser(it will be ’/home/exampleuser/htdocs/’ in your example).Then it successed to login by sftp and displayed ’/’ using command pwd .
    why does not %h work?

  • Hello.
    I followed step by step your instructions. All is setup like in your example. But when i try to connect with filezilla i receive the error: FATAL ERROR: Network error: Software caused connection abort
    Error: Could not connect to server.
    Can you please help me?

Hello @Maxoplata
I’ve tried to do what you explain in this article, but now I can’t access with root user in my droplet.
Here’s the list of commands I’ve executed in Putty:

groupadd sftpusers
useradd -g sftpusers -d /var/www/ -s /sbin/nologin evuser
grep evuser /etc/passwd
sudo nano /etc/ssh/sshd_config

I’ve commented this: #Subsystem sftp /usr/lib/openssh/sftp-server
And add this after this line:
Subsystem sftp internal-sftp
Match group sftpusers
ChrootDirectory %h
ForceCommand internal-sftp*

chown -R evuser:sftpusers /var/www/
cd /var/www/
passwd evuser

Do you know how I can undo these commands?
PS: I’m using Debian 8.

  • I did the same thing. Completely locked out of my server. Any solution to this yet?

    Much appreciated.


    • I had the same problem. You need to add the lines mentioned in your sshd_config at the bottom. If you add it above the PAM line, you’ll get locked out.
      When you restart ssh with “service ssh restart” it will not lock you out of your current session. So you can try to login via ssh from another device. If there are problems, use your running session to restore the sshd config - repeat until you are sure you won’t get locked out of your ssh.

If you do not want to use user home directory eg. /home/exampleuser then ssh cofiguration should be like this
Subsystem sftp internal-sftp
Match group sftpusers
# ChrootDirectory %h
ForceCommand internal-sftp

Restart ssh service then it will work for you.

Hello guys,

In the article shows that when typing the command ls -al would show something like this:

root:root /home/
root:root /home/exampleuser/
root:root /home/exampleuser/htdocs/

exampleuser:sftpusers /home/exampleuser/htdocs/public_html

But typing the command shows me this result:

using the cd command and then the ls -al command:

As for permission, I used the command:

chown -R exampleuser examplegroup /var/www/

but the /wp-content folder is already existing and already has the permission www-data:www-data. So I can change it to exampleuser:sftpusers, no problem?

Anyway, I am not able to access SFTP with this new user when placed in the group, ie I have an existing user and he accesses normally, but accesses all folders of the server. Then I create the group, put the user in the group with the command below, and do the rest of the steps shown in the article, but after that the user no longer enters:

usermod -g newgroup -d /var/www/ -s /sbin/nologin existinguser

Can someone help me?


how can i restrict user to his home directory only, who is logging through key in filezilla?
Please let me know the way