I’m creating a droplet using the Wordpress image. I want to create a sftp user that can access the theme folder (/var/www/html/wp-content/themes) but in the same time not access the plugin folder (/var/www/html/wp-content/plugins/).
This is what i did so far sudo useradd -d /var/www/html/wp-content/themes newuser passwd newuser
in /etc/ssh/sshd_config i added
Subsystem sftp /usr/lib/openssh/sftp-server Match User newuser ChrootDirectory %h AllowTCPForwarding no X11Forwarding no ForceCommand internal-sftp
I can connect with the new sftp user but the user can navigate and reach the plugin folder.
How can i prevent that and limit this user to this home folder (var/www/html/wp-content/themes) .
Is there a way i can “exclude” a folder ?
Thank you
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Hello, @crerem
You can easily configure this by following this tutorial:
The part which you are missing is Step 3 — Restricting Access to One Directory
What you need to do is to edit the /etc/ssh/sshd_config file and apply the following changes:
Match User sammyfiles
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /var/sftp
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
Where:
Match User tells the SSH server to apply the following commands only to the user specified. Here, we specify sammyfiles.
ForceCommand internal-sftp forces the SSH server to run the SFTP server upon login, disallowing shell access.
PasswordAuthentication yes allows password authentication for this user.
ChrootDirectory /var/sftp/ ensures that the user will not be allowed access to anything beyond the /var/sftp directory.
AllowAgentForwarding no, AllowTcpForwarding no. and X11Forwarding no disables port forwarding, tunneling and X11 forwarding for this user.
This set of commands, starting with Match User, can be copied and repeated for different users too. Make sure to modify the username in the Match User line accordingly.
Note: You can omit the PasswordAuthentication yes line and instead set up SSH key access for increased security. Follow the Copying your Public SSH Key section of the SSH Essentials: Working with SSH Servers, Clients, and Keys tutorial to do so. Make sure to do this before you disable shell access for the user. In the next step, we’ll test the configuration by SSHing locally with password access, but if you set up SSH keys, you’ll instead need access to a computer with the user’s keypair.
To apply the configuration changes, restart the service.
sudo systemctl restart sshd
You have now configured the SSH server to restrict access to file transfer only for sammyfiles. The last step is testing the configuration to make sure it works as intended.
Please make sure to change the sammyfiles user with your actual username.
Hope this helps!
Regards, Alex
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.