Read only permission to sftp user in specific directory

Question

I want to create specific SFTP user which will have permissions to only read all folders and subfolders in /var/www/vhosts. Any help on this ?

Answer 1

Unix systems provide the chroot command which allows you to reset the / of the user to some directory in the filesystem hierarchy, where they cannot access "higher-up" files and directories.

However in your case, it would appropriate to provide a virtual chroot implemented by the remote shell service. sftp can be easily configured to restrict a local user to a specific subset of the filesystem.

hence in your case, you want to chroot let's say, user foo user into the /var/www/vhosts/ directory.

You can set a chroot directory for your user to confine them to the subdirectory /var/www/vhosts/ like so in /etc/ssh/sshd_config;

Create user foo with password

sudo useradd foo
sudo passwd foo

Create for SFTP only group

$ sudo groupadd sftp_users 

Add to a user foo for SFTP only group

$ sudo usermod -G sftp_users foo 

Change owner, because read/write permission

sudo chown root.root /var/www/vhosts/

Add permission

sudo chmod 755 /var/www/vhosts/

Edit /etc/ssh/sshd_config

sudo vi /etc/ssh/sshd_config

Comment out and add a line like below

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

Add at the last

Match Group sftp_users
  X11Forwarding no
  AllowTcpForwarding no
  ChrootDirectory /var/www/vhosts/
  ForceCommand internal-sftp

(NOTE : Match blocks need to be at the END of the sshd_config file.)

Restart ssh service

sudo service ssh restart

With this cenfiguration you can ssh into folder ubuntu and get files. Can not put or delete

To sftp in right folder edit /etc/passwd. Change line for user foo to look like this

$ sudo vi /etc/passwd

..
foo:x:1001:1001::/var/www/vhosts/:
..

This will change user foo home folder to your sftp server folder.