I want to create specific SFTP user which will have permissions to only read all folders and subfolders in /var/www/vhosts
. Any help on this ?
1 Answer
Unix systems provide the chroot
command which allows you to reset the /
of the user to some directory in the filesystem hierarchy, where they cannot access "higher-up" files and directories.
However in your case, it would appropriate to provide a virtual chroot implemented by the remote shell service. sftp can be easily configured to restrict a local user to a specific subset of the filesystem.
hence in your case, you want to chroot
let's say, user foo
user into the /var/www/vhosts/
directory.
You can set a chroot directory for your user to confine them to the subdirectory /var/www/vhosts/
like so in /etc/ssh/sshd_config
;
Create user foo
with password
sudo useradd foo
sudo passwd foo
Create for SFTP only group
$ sudo groupadd sftp_users
Add to a user foo
for SFTP only group
$ sudo usermod -G sftp_users foo
Change owner, because read/write permission
sudo chown root.root /var/www/vhosts/
Add permission
sudo chmod 755 /var/www/vhosts/
Edit /etc/ssh/sshd_config
sudo vi /etc/ssh/sshd_config
Comment out and add a line like below
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
Add at the last
Match Group sftp_users
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory /var/www/vhosts/
ForceCommand internal-sftp
(NOTE : Match
blocks need to be at the END of the sshd_config
file.)
Restart ssh
service
sudo service ssh restart
With this cenfiguration you can ssh into folder ubuntu
and get files. Can not put
or delete
To sftp in right folder edit /etc/passwd
. Change line for user foo
to look like this
$ sudo vi /etc/passwd
..
foo:x:1001:1001::/var/www/vhosts/:
..
This will change user foo
home folder to your sftp server folder.
-
1So I added
Match Group sftp ChrootDirectory /var/www/vhosts AllowTcpForwarding no
In sshd_config and created user and group as you did but userfoo
has rights to all folders :(Delirium– Delirium2016-06-22 09:56:02 +00:00Commented Jun 22, 2016 at 9:56 -
@Delirium see my updated answerRahul– Rahul2016-06-22 10:20:19 +00:00Commented Jun 22, 2016 at 10:20
-
Thank you so much for your asnwer. But there must be some mistake.. I added
Subsystem sftp internal-sftp Match Group sftp ChrootDirectory /var/www/vhosts AllowTcpForwarding no ForceCommand internal-sftp
but there is error when I want to restart ssh/etc/ssh/sshd_config line 92: Directive 'UsePAM' is not allowed within a Match block
Delirium– Delirium2016-06-22 10:29:06 +00:00Commented Jun 22, 2016 at 10:29 -
2@Delirium I have clearly mentioned to put
Match.....
section at the END of file. Put that code at the end of file and restart it.Rahul– Rahul2016-06-22 10:35:29 +00:00Commented Jun 22, 2016 at 10:35 -
1Sorry for my blind eyes, but it works, so really thank you.Delirium– Delirium2016-06-22 10:48:14 +00:00Commented Jun 22, 2016 at 10:48