In this guide, we are going to learn how to restrict SFTP user access to specific directories in Linux systems. SFTP, an acronym for Secure File Transfer Protocol is a secure file transfer protocol that runs over SSH. It offers all the features offered by the legacy FTP protocol but in a more secure manner.
Restrict SFTP User Access to Specific Directories in Linux
In order to restrict SFTP user access to specific directories in Linux, SFTP chroot jails are used. The SFTP chroot jail ensures that an SFTP user, onced login to a system, is confined only to specific directories with no access to other directories on the system.
OpenSSH comes with the support for SFTP chroot jails by default.
Install OpenSSH Server
In order to be able to configure restricted directory access for SFTP users, ensure that OpenSSH server is installed.
OpenSSH Server can be installed by running the command belows;
On CentOS and Other RHEL derivatives;
yum -y install openssh-server openssh-clients
On Ubuntu and Other Debian derivatives;
apt install openssh-server -y
For other Linux distros, consult your distro guide on how to install OpenSSH server.
Create Unprivileged SFTP User Account
Create a group to assign SFTP user accounts to. Note that this is not necessary as the directories you will be assigning the user may already have specific group assigned to them.
Next, create a less privileged account for an SFTP user. Replace the username accordingly;
useradd -M -g sftpgroup -s /usr/sbin/nologin sftpuser
If for example you are restricting SFTP user access to web server directories like Nginx and Apache root directories, that are already owned by the group
www-data, you would simply set the primary group of the user by replacing the
sftpgroup with either
useradd -M -g nginx -s /usr/sbin/nologin sftpuser
useradd -M -g apache -s /usr/sbin/nologin sftpuser
useradd -M -g www-data -s /usr/sbin/nologin sftpuser
You can as well be able to change the user’s primary group using the
usermod command. For example, to change the default group of an
apache, simply run;
usermod -g apache sftpuser
Note that the group must exist for the command above to succeed.
You can also add sftpuser to an existing group (Secondary group).
usermod -aG apache sftpuser
Create a password for the user to unlock its account.
Verify the groups the user belong to;
sftpuser : www-data
Restrict SFTP User Access to Directory with Chroot Jail
Once you have an SFTP user with primary group set to be similar with the group of the directory you are limiting access to, you can configure the Chroot jain using OpenSSH.
OpenSSH enables you to specify pathname of a directory to which the user will be confined to after authentication through the use of the
Open the SSH configuration file for editing;
Enable SSH in-process SFTP server by commenting (add # at the beginning) the following line…
# override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server
… and replacing it as follows;
Subsystem sftp internal-sftp
Next, add the following configuration options after the line above;
Match User sftpuser ChrootDirectory /var/www/html/ ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding no
Such that you configuration looks like;
... # override default of no subsystems #Subsystem sftp /usr/libexec/openssh/sftp-server Subsystem sftp internal-sftp Match User sftpuser ChrootDirectory /var/www/html/ ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding no ...
Note the directory name assigned to
ChrootDirectory. This specifies the directory to which the user, specified by the
Match User option has access. In this case, the directory is
ls -alhd /var/www/html/kifarunix/
drwxr-xr-x 5 www-data www-data 4.0K Mar 16 14:59 /var/www/html/kifarunix/
Also pay attention here:
The bind path, in this case,
/var/www/html, therefore needs to be fully owned by
root to ensure that the SFTP user has no access beyond its chroot jail.
ls -alh /var/www/html
total 4.0K drwxr-xr-x. 4 root root 34 Mar 16 21:56 . drwxr-xr-x. 4 root root 33 Mar 12 15:20 .. drwxr-xr-x. 5 apache apache 4.0K Mar 16 21:56 kifarunix
For more explanation on options used, simply consult,
If you need to specify a specific group, simply replace the line,
Match User sftpuser with
Match Group sftpgroup replacing the names of the group accordingly.
Restart SSH service;
systemctl restart sshd
systemctl restart ssh
Verifying SFTP User Restricted Directory Access
Note that, in our setup above, we have restricted access for the SFTP user,
sftpuser to the web server root directory,
To verify the access controls, login as SFTP user. Relace the username and server_IP accordingly;
sftp [email protected]_IP
If SSH is running on non default port, you need to specify the port;
sftp -P port [email protected]_IP
Once you login, check the current working directory;
sftp> pwd Remote working directory: / sftp>
List the contents
sftp> ls kifarunix sftp>
Notice the sub-directory under the ChrootDirectory.
sftp> cd ../../ sftp> pwd Remote working directory: / sftp> ls kifarunix sftp>
As you can see from the output of the command above, the sftpuser has no access outside the specified directory and that is how simple it is to restrict access of an SFTP user to a specific directory.
That marks the end of our on how to restrict SFTP User Access to Specific Directories in Linux.
You can also read about SFTP chroot on HowTo: chroot SFTP (only).