I’m creating a droplet using the Wordpress image. I want to create a sftp user that can access the theme folder (/var/www/html/wp-content/themes) but in the same time not access the plugin folder (/var/www/html/wp-content/plugins/).

This is what i did so far
sudo useradd -d /var/www/html/wp-content/themes newuser
passwd newuser

in /etc/ssh/sshd_config i added

Subsystem sftp /usr/lib/openssh/sftp-server
Match User newuser
ChrootDirectory %h
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp

I can connect with the new sftp user but the user can navigate and reach the plugin folder.

How can i prevent that and limit this user to this home folder (var/www/html/wp-content/themes) .

Is there a way i can “exclude” a folder ?

Thank you

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer

Hello, @crerem

You can easily configure this by following this tutorial:

https://www.digitalocean.com/community/tutorials/how-to-enable-sftp-without-shell-access-on-ubuntu-18-04

The part which you are missing is Step 3 — Restricting Access to One Directory

What you need to do is to edit the /etc/ssh/sshd_config file and apply the following changes:

Match User sammyfiles
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /var/sftp
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no

Where:

Match User tells the SSH server to apply the following commands only to the user specified. Here, we specify sammyfiles.

ForceCommand internal-sftp forces the SSH server to run the SFTP server upon login, disallowing shell access.

PasswordAuthentication yes allows password authentication for this user.

ChrootDirectory /var/sftp/ ensures that the user will not be allowed access to anything beyond the /var/sftp directory.

AllowAgentForwarding no, AllowTcpForwarding no. and X11Forwarding no disables port forwarding, tunneling and X11 forwarding for this user.

This set of commands, starting with Match User, can be copied and repeated for different users too. Make sure to modify the username in the Match User line accordingly.

Note: You can omit the PasswordAuthentication yes line and instead set up SSH key access for increased security. Follow the Copying your Public SSH Key section of the SSH Essentials: Working with SSH Servers, Clients, and Keys tutorial to do so. Make sure to do this before you disable shell access for the user. In the next step, we’ll test the configuration by SSHing locally with password access, but if you set up SSH keys, you’ll instead need access to a computer with the user’s keypair.

To apply the configuration changes, restart the service.

sudo systemctl restart sshd

You have now configured the SSH server to restrict access to file transfer only for sammyfiles. The last step is testing the configuration to make sure it works as intended.

Please make sure to change the sammyfiles user with your actual username.

Hope this helps!

Regards,
Alex

by Mateusz Papiernik
by Mark Drake
In a standard configuration, the SSH server grants file transfer access and terminal shell access to all users with an account on the system. In this tutorial, we'll set up the SSH daemon to limit SFTP access to one directory with no SSH access allowed on per user basis on an Ubuntu 18.04 server.
  • Thank you for the reply

    I have added

    Match User newuser
    ForceCommand internal-sftp
    PasswordAuthentication yes
    ChrootDirectory /var/www/html/wp-content/themes
    PermitTunnel no
    AllowAgentForwarding no
    AllowTcpForwarding no
    X11Forwarding no

    But after that i could not login at all.

    From the link you gave me i did also the point no 2 - with folder permissions , but after that the WordPress install stopped working.

    Any idea what i’m doing wrong ?

    Thank you

    • Hello, @crerem

      If you’ve changed the ownership of the WordPress directory using chown I will suggest you to revert those changes back.

      What you can do is to modify the new user and add it to the group of the user owner of the WordPress installation. This is possible with the usermod command:

      sudo usermod –a –G group_name user_name
      
      • You need to change the groupname and username with the respective group and user names.

      Hope this helps!

      Let me know how it goes.

      Regards,
      Alex

Submit an Answer