##What I want to do
I want to add a second user, but restrict what the user can do:
newsletters
, it will be in the public
folder.newsletters
, folderThis is the full path to the newsletters
folder:
/srv/users/serverpilot/apps/test-app/public/newsletters
##What I’ve done so far
I’ve followed this guide How do I restrict a user to a specific directory? by Maxamilian Demian (@Maxoplata), there’s a great reply by Jonathan Tittle (@jtittle).
However, I’m still having problems logging in via SFTP
I’ve listed out all the steps I’ve done - hopefully someone with more experience will be able to spot my error(s)!
##1. Created a new user
root
user-sftp-only
2. adduser user-sftp-only
compgen -u
5. user-sftp-only
is at the bottom of the listgrep user-sftp-only /etc/passwd
outputs:user-sftp-only:x:1004:1007:,,,:/home/user-sftp-only:/bin/bash
##2. Give new user root privileges
user-sftp-only
root privileges
2. gpasswd -a user-sftp-only sudo
root
##3. Create a new directory
user-sftp-only
public
called newsletters
:
4. cd /srv/users/serverpilot/apps/test-app/public/
5. Followed by:
6. sudo mkdir newsletters
##4. Check directory permissions
public
folder from the previous step, I run ls -al
drwxr-xr-x+ 3 serverpilot serverpilot 4096 Mar 7 15:26 .
drwxr-xr-x+ 3 serverpilot serverpilot 4096 Mar 3 16:22 ..
-rw-r--r--+ 1 serverpilot serverpilot 3393 Mar 3 16:22 index.php
drwxrwxr-x+ 2 root root 4096 Mar 7 15:26 newsletters
From reading various DigitalOcean posts, I know I need to create a group and assign my new user user-sftp-only
to that group, Then change root root
to the name of my user and group.
##5. Create a new group
user-sftp-only
sudo groupadd group-sftp-only
compgen -g
5. group-sftp-only
is at the bottom of the listNote: I notice my new user called user-sftp-only
is also in this list?
##6. Add user to the group
root
user-sftp-only
to a group called group-sftp-only
user-sftp-only
usermod -g group-sftp-only -d /srv/users/serverpilot/apps/test-app/public/newsletters -s /sbin/nologin user-sftp-only
-g
specifies the group name-d
specifies the users home directory-s
specifies shell access (/sbin/nologin means SSH is disabled for this user)##7. Verify the changes to the user
root
grep user-sftp-only /etc/passwd
user-sftp-only:x:1001:1004:,,,:/srv/users/serverpilot/apps/test-app/public/newsletters:/sbin/nologin
##8. Modify SSH Configuration to allow SFTP
root
nano /etc/ssh/sshd_config
#Subsystem sftp /usr/lib/openssh/sftp-server -l INFO
sshd_config
added this:Subsystem sftp internal-sftp
Match group group-sftp-only
ChrootDirectory %h
ForceCommand internal-sftp
##9. Restart SSH
root
service ssh restart
##10. Modify permissions
root
user-sftp-only
/srv/users/serverpilot/apps/test-app/public/newsletters
chown -R user-sftp-only:group-sftp-only /srv/users/serverpilot/apps/test-app/public/newsletters
##11. Verify ownership change
root
cd /srv/users/serverpilot/apps/test-app/public/
ls -al
shows me:drwxr-xr-x+ 3 serverpilot serverpilot 4096 Mar 7 15:26 .
drwxr-xr-x+ 3 serverpilot serverpilot 4096 Mar 3 16:22 ..
-rw-r--r--+ 1 serverpilot serverpilot 3393 Mar 3 16:22 index.php
drwxrwxr-x+ 2 user-sftp-only group-sftp-only 4096 Mar 7 15:26 newsletters
cd /srv/users/serverpilot/apps/test-app/public/newsletters
ls -al
shows me:drwxrwxr-x+ 2 user-sftp-only group-sftp-only 4096 Mar 7 15:26 .
drwxr-xr-x+ 3 serverpilot serverpilot 4096 Mar 7 15:26 ..
That’s where I’m up to. However, I can’t login in as my new user user-sftp-only
via SFTP
Not sure where I’m going wrong - I’m new to this!
##EDIT
I can login via SFTP with another user name - Using a FTP client called Transmit.
If I get info
on the folder newsletters
everything matches what Terminal is telling me…
Here’s a screenshot
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Hi @jtittle
Thank you so much for taking the time to read and reply to my post!
After following your great instructions, the user user-sftp-only
is restricted to just the newsletters
folder. user-sftp-only
can upload, rename and delete files and sub-folders via SFTP only. Great.
If I cd
to /home/user-sftp-only
and run ls -l
I see this:
drwxr-xr-x 2 user-sftp-only user-sftp-only 4096 Mar 8 11:58 newsletters
Next step is to configure a way to sync the files located here:
/home/user-sftp-only/newsletters
So they automatically appear here:
/srv/users/serverpilot/apps/test-app/public/newsletters
I found a DigitalOcean article How To Mirror Local and Remote Directories on a VPS with lsyncd. Is this what you have in mind for syncing?
Thanks for the mention! It seems the community requires a space after @ mentions, so I didn’t get tagged in this one, but glad I caught it :-). I’ll do my best to help!
When it comes to SFTP, the users home directory needs to be owned root
. The user would then be able to access any/all directories below that, so that’s most likely where the issue is.
For example, if we create user-sftp-only
using:
useradd -d /home/user-sftp-only user-sftp-only
The create a series of directories for that user, which they’ll be able to access once logged in:
mkdir -p /home/user-sftp-only/{public,private,logs}
And then chown
those directories to the user:
chown -R user-sftp-only:user-sftp-only /home/user-sftp-only/*
The user-sftp-only
user should be able to login and automatically get chrooted
to /
which would be /home/user-sftp-only
(for them).
They should be able to access only public, private, logs
(they could even delete them if they wanted, or upload files to them).
…
That being said, you have a unique need. You’re wanting the user-sftp-only
user to be able to only access a directory that is located in a non-root
owned directory, which is why you’re not able to login.
The home
directory needs to be owned by root
, otherwise they may be able to escape from it.
So in your case, that user should only be able to access newsletters
but the following directory is not owned by root, nor should it be since it’s a public-facing directory:
/srv/users/serverpilot/apps/test-app/public
So how do we work around this? If that user only needs access to that one directory, you could use either a symlink (not the best solution) or perhaps even rsync to synchronize the two directories (probably the better option so you’re not messing around with symlinks).
I would so is start fresh.
Add The User
This sets the home directory and removes the ability to login using SSH (but will allow SFTP).
useradd useradd -d /home/user-sftp-only -s /bin/nologin user-sftp-only
Add The SFTP Group
groupadd group-sftp-only
Modify The User and Append The New Group
What we’re doing here is appending the new group on to the user, so we’re not changing the current group, rather, making them a member of both their base user-sftp-only
group as well as that of the newly added group-sftp-only
group.
usermod -aG group-sftp-only user-sftp-only
Modify /etc/ssh/sshd_config
Replace:
Subsystem sftp /usr/lib/openssh/sftp-server
With:
Subsystem sftp internal-sftp
And below:
UsePAM yes
Add:
Match Group group-sftp-only
ChrootDirectory %h #set the home directory
ForceCommand internal-sftp
X11Forwarding no
AllowTCPForwarding no
PasswordAuthentication yes
Now restart SSH - service ssh restart
.
Add Newsletters Directory
mkdir -p /home/user-sftp-only/newsletters
Change Ownership
You’ll note I’m using user-sftp-only
for both the user and group. That’s because we didn’t change the users group when we used groupadd
– we appended that group on – so we don’t need to set group-sftp-only
as the group that owns the directory.
chown -R user-sftp-only:user-sftp-only /home/user-sftp-only/*
Set Password for user-sftp-only
passwd user-sftp-only
At this point, you should be able to login via SFTP and get chrooted
to /
which would be:
/home/user-sftp-only
and within it should be:
/home/user-sftp-only/newsletters
If you can test to make sure that works, that’s at least step one complete and we know the user can in fact login as required. From there, it’s a matter of setting up rsync or some sort of method to make sure when files are uploaded/deleted to/from /home/user-sftp-only/newsletters
, that they also do the same in the other directory.
hi guys, tks for guide! I get error in filezilla if I log with new user: network error: software caused connection abort filezilla
I just pressed mark as accepted and my previous reply was removed/deleted?!
Just in case you don’t receive a email/notification with my previous reply, I’d just like to say thank you very much for your help!
Hi @jtittle
That works great! Thank you so much for your help with this.
It’s a shame deleted files aren’t also synced, but that’s ok. I’ll set delete = false
If the end user ever needs to delete any files I can do it manually for them.
I’ve been struggling with this for longer than I’d like to admit! However, thanks to you and the many DigitalOcean posts I’ve read, I have expanded my knowledge of Terminal and navigating around my server.
Great stuff.
Click below to sign up and get $100 of credit to try our products over 60 days!
@smeehan What’s the error log, when you try to login? Both the log from the server
/var/log/auth.log
and the client. From what I can read in the guide, the parent folder ofnewsletters
need to be root:root, but it’s serverpilot:serverpilot And I no idea why you’re giving the new user root privileges with sudo - why? @jtittle Can you assist, since you wrote the original guide?