##What I want to do
I want to add a second user, but restrict what the user can do:
newsletters, it will be in the
This is the full path to the
##What I’ve done so far
I’ve followed this guide How do I restrict a user to a specific directory? by Maxamilian Demian (@Maxoplata), there’s a great reply by Jonathan Tittle (@jtittle).
However, I’m still having problems logging in via
I’ve listed out all the steps I’ve done - hopefully someone with more experience will be able to spot my error(s)!
##1. Created a new user
user-sftp-onlyis at the bottom of the list
grep user-sftp-only /etc/passwdoutputs:
##2. Give new user root privileges
user-sftp-onlyroot privileges 2.
gpasswd -a user-sftp-only sudo
##3. Create a new directory
cd /srv/users/serverpilot/apps/test-app/public/5. Followed by: 6.
sudo mkdir newsletters
##4. Check directory permissions
publicfolder from the previous step, I run
drwxr-xr-x+ 3 serverpilot serverpilot 4096 Mar 7 15:26 . drwxr-xr-x+ 3 serverpilot serverpilot 4096 Mar 3 16:22 .. -rw-r--r--+ 1 serverpilot serverpilot 3393 Mar 3 16:22 index.php drwxrwxr-x+ 2 root root 4096 Mar 7 15:26 newsletters
From reading various DigitalOcean posts, I know I need to create a group and assign my new user
user-sftp-only to that group, Then change
root root to the name of my user and group.
##5. Create a new group
sudo groupadd group-sftp-only
group-sftp-onlyis at the bottom of the list
Note: I notice my new user called
user-sftp-only is also in this list?
##6. Add user to the group
user-sftp-onlyto a group called
usermod -g group-sftp-only -d /srv/users/serverpilot/apps/test-app/public/newsletters -s /sbin/nologin user-sftp-only
-gspecifies the group name
-dspecifies the users home directory
-sspecifies shell access (/sbin/nologin means SSH is disabled for this user)
##7. Verify the changes to the user
grep user-sftp-only /etc/passwd
##8. Modify SSH Configuration to allow SFTP
#Subsystem sftp /usr/lib/openssh/sftp-server -l INFO
Subsystem sftp internal-sftp Match group group-sftp-only ChrootDirectory %h ForceCommand internal-sftp
##9. Restart SSH
service ssh restart
##10. Modify permissions
chown -R user-sftp-only:group-sftp-only /srv/users/serverpilot/apps/test-app/public/newsletters
##11. Verify ownership change
ls -alshows me:
drwxr-xr-x+ 3 serverpilot serverpilot 4096 Mar 7 15:26 . drwxr-xr-x+ 3 serverpilot serverpilot 4096 Mar 3 16:22 .. -rw-r--r--+ 1 serverpilot serverpilot 3393 Mar 3 16:22 index.php drwxrwxr-x+ 2 user-sftp-only group-sftp-only 4096 Mar 7 15:26 newsletters
ls -alshows me:
drwxrwxr-x+ 2 user-sftp-only group-sftp-only 4096 Mar 7 15:26 . drwxr-xr-x+ 3 serverpilot serverpilot 4096 Mar 7 15:26 ..
That’s where I’m up to. However, I can’t login in as my new user
Not sure where I’m going wrong - I’m new to this!
I can login via SFTP with another user name - Using a FTP client called Transmit.
get info on the folder
newsletters everything matches what Terminal is telling me…
Here’s a screenshot
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Thank you so much for taking the time to read and reply to my post!
After following your great instructions, the user
user-sftp-onlyis restricted to just the
user-sftp-onlycan upload, rename and delete files and sub-folders via SFTP only. Great.
ls -lI see this:
drwxr-xr-x 2 user-sftp-only user-sftp-only 4096 Mar 8 11:58 newsletters
Next step is to configure a way to sync the files located here:
So they automatically appear here:
I found a DigitalOcean article How To Mirror Local and Remote Directories on a VPS with lsyncd. Is this what you have in mind for syncing?
Thanks for the mention! It seems the community requires a space after @ mentions, so I didn’t get tagged in this one, but glad I caught it :-). I’ll do my best to help!
When it comes to SFTP, the users home directory needs to be owned
root. The user would then be able to access any/all directories below that, so that’s most likely where the issue is.
For example, if we create
The create a series of directories for that user, which they’ll be able to access once logged in:
chownthose directories to the user:
user-sftp-onlyuser should be able to login and automatically get
/which would be
They should be able to access only
public, private, logs(they could even delete them if they wanted, or upload files to them).
That being said, you have a unique need. You’re wanting the
user-sftp-onlyuser to be able to only access a directory that is located in a non-
rootowned directory, which is why you’re not able to login.
homedirectory needs to be owned by
root, otherwise they may be able to escape from it.
So in your case, that user should only be able to access
newslettersbut the following directory is not owned by root, nor should it be since it’s a public-facing directory:
So how do we work around this? If that user only needs access to that one directory, you could use either a symlink (not the best solution) or perhaps even rsync to synchronize the two directories (probably the better option so you’re not messing around with symlinks).
I would so is start fresh.
Add The User
This sets the home directory and removes the ability to login using SSH (but will allow SFTP).
Add The SFTP Group
Modify The User and Append The New Group
What we’re doing here is appending the new group on to the user, so we’re not changing the current group, rather, making them a member of both their base
user-sftp-onlygroup as well as that of the newly added
Now restart SSH -
service ssh restart.
Add Newsletters Directory
You’ll note I’m using
user-sftp-onlyfor both the user and group. That’s because we didn’t change the users group when we used
groupadd– we appended that group on – so we don’t need to set
group-sftp-onlyas the group that owns the directory.
Set Password for user-sftp-only
At this point, you should be able to login via SFTP and get
/which would be:
and within it should be:
If you can test to make sure that works, that’s at least step one complete and we know the user can in fact login as required. From there, it’s a matter of setting up rsync or some sort of method to make sure when files are uploaded/deleted to/from
/home/user-sftp-only/newsletters, that they also do the same in the other directory.
Want to learn more? Join the DigitalOcean Community!
Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.
Sign up now
hi guys, tks for guide! I get error in filezilla if I log with new user: network error: software caused connection abort filezilla