DigitalOcean

Report this

What is the reason for this report?
Question

Trying to setup a SFTP user with limited access.

Posted on March 7, 2017
Security
Linux Basics
Ubuntu 16.04
Getting Started
Stephen Meehan

By Stephen Meehan

##What I want to do

I want to add a second user, but restrict what the user can do:

  • Only access a single folder called newsletters, it will be in the public folder.
  • The user needs to be able to upload, delete and rename files via SFTP
  • The user must not be able to navigate away from the newsletters, folder

This is the full path to the newsletters folder: /srv/users/serverpilot/apps/test-app/public/newsletters

##What I’ve done so far

I’ve followed this guide How do I restrict a user to a specific directory? by Maxamilian Demian (@Maxoplata), there’s a great reply by Jonathan Tittle (@jtittle).

However, I’m still having problems logging in via SFTP

I’ve listed out all the steps I’ve done - hopefully someone with more experience will be able to spot my error(s)!

##1. Created a new user

  1. Logged in as root
  2. Created a new user called user-sftp-only 2. adduser user-sftp-only
  3. I can check the user has been created by running 4. compgen -u 5. user-sftp-only is at the bottom of the list
  4. I can also see what the path of the user is and shell access by running:
  5. grep user-sftp-only /etc/passwd outputs:
user-sftp-only:x:1004:1007:,,,:/home/user-sftp-only:/bin/bash

##2. Give new user root privileges

  1. Give new user user-sftp-only root privileges 2. gpasswd -a user-sftp-only sudo
  2. Logout as root

##3. Create a new directory

  1. Logged in as user-sftp-only
  2. Create a new directory in public called newsletters: 4. cd /srv/users/serverpilot/apps/test-app/public/ 5. Followed by: 6. sudo mkdir newsletters

##4. Check directory permissions

  1. Still inside the public folder from the previous step, I run ls -al
  2. Shows me this:
drwxr-xr-x+ 3 serverpilot serverpilot 4096 Mar  7 15:26 .
drwxr-xr-x+ 3 serverpilot serverpilot 4096 Mar  3 16:22 ..
-rw-r--r--+ 1 serverpilot serverpilot 3393 Mar  3 16:22 index.php
drwxrwxr-x+ 2 root        root        4096 Mar  7 15:26 newsletters

From reading various DigitalOcean posts, I know I need to create a group and assign my new user user-sftp-only to that group, Then change root root to the name of my user and group.

##5. Create a new group

  1. Logged in as user-sftp-only
  2. sudo groupadd group-sftp-only
  3. I can check the group has been created by running 4. compgen -g 5. group-sftp-only is at the bottom of the list

Note: I notice my new user called user-sftp-only is also in this list?

##6. Add user to the group

  1. Logged in as root
  2. Added the user user-sftp-only to a group called group-sftp-only
  3. Doing this means it’s no longer possible to SSH in as user user-sftp-only
usermod -g group-sftp-only -d /srv/users/serverpilot/apps/test-app/public/newsletters -s /sbin/nologin user-sftp-only
  • -gspecifies the group name
  • -d specifies the users home directory
  • -s specifies shell access (/sbin/nologin means SSH is disabled for this user)

##7. Verify the changes to the user

  1. Logged in as root
  2. grep user-sftp-only /etc/passwd
  3. Shows me:
user-sftp-only:x:1001:1004:,,,:/srv/users/serverpilot/apps/test-app/public/newsletters:/sbin/nologin

##8. Modify SSH Configuration to allow SFTP

  1. Logged in as root
  2. nano /etc/ssh/sshd_config
  3. Commented out this line:
  4. #Subsystem sftp /usr/lib/openssh/sftp-server -l INFO
  5. At the very bottom of sshd_config added this:
Subsystem sftp internal-sftp
    Match group group-sftp-only
    ChrootDirectory %h
    ForceCommand internal-sftp

##9. Restart SSH

  1. Still logged in as root
  2. service ssh restart

##10. Modify permissions

  1. Still logged in as root
  2. This is the home directory for user user-sftp-only
  3. /srv/users/serverpilot/apps/test-app/public/newsletters
  4. Used this to make sure the home directory is owned by the user and group
chown -R user-sftp-only:group-sftp-only /srv/users/serverpilot/apps/test-app/public/newsletters

##11. Verify ownership change

  1. Still logged in as root
  2. cd /srv/users/serverpilot/apps/test-app/public/
  3. ls -al shows me:
drwxr-xr-x+ 3 serverpilot    serverpilot     4096 Mar  7 15:26 .
drwxr-xr-x+ 3 serverpilot    serverpilot     4096 Mar  3 16:22 ..
-rw-r--r--+ 1 serverpilot    serverpilot     3393 Mar  3 16:22 index.php
drwxrwxr-x+ 2 user-sftp-only group-sftp-only 4096 Mar  7 15:26 newsletters
  1. cd /srv/users/serverpilot/apps/test-app/public/newsletters
  2. ls -al shows me:
drwxrwxr-x+ 2 user-sftp-only group-sftp-only 4096 Mar  7 15:26 .
drwxr-xr-x+ 3 serverpilot    serverpilot     4096 Mar  7 15:26 ..

That’s where I’m up to. However, I can’t login in as my new user user-sftp-only via SFTP

Not sure where I’m going wrong - I’m new to this!

##EDIT

I can login via SFTP with another user name - Using a FTP client called Transmit.

If I get info on the folder newsletters everything matches what Terminal is telling me…

Here’s a screenshot

Perch Screenshot



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
Stephen Meehan
Stephen Meehan
March 8, 2017

Accepted Answer

Hi @jtittle

Thank you so much for taking the time to read and reply to my post!

After following your great instructions, the user user-sftp-only is restricted to just the newsletters folder. user-sftp-only can upload, rename and delete files and sub-folders via SFTP only. Great.

If I cd to /home/user-sftp-only and run ls -l I see this:

drwxr-xr-x 2 user-sftp-only user-sftp-only 4096 Mar 8 11:58 newsletters

Next step is to configure a way to sync the files located here:

/home/user-sftp-only/newsletters

So they automatically appear here:

/srv/users/serverpilot/apps/test-app/public/newsletters

I found a DigitalOcean article How To Mirror Local and Remote Directories on a VPS with lsyncd. Is this what you have in mind for syncing?

0
valeriodeluca
valeriodeluca
February 4, 2018

hi guys, tks for guide! I get error in filezilla if I log with new user: network error: software caused connection abort filezilla

0
Stephen Meehan
Stephen Meehan
March 8, 2017

Hi @jtittle

That works great! Thank you so much for your help with this.

It’s a shame deleted files aren’t also synced, but that’s ok. I’ll set delete = false If the end user ever needs to delete any files I can do it manually for them.

I’ve been struggling with this for longer than I’d like to admit! However, thanks to you and the many DigitalOcean posts I’ve read, I have expanded my knowledge of Terminal and navigating around my server.

Great stuff.

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2025 DigitalOcean, LLC.Sitemap.