19

How to add an ssh user who only has permissions to access specific folder?

useradd -d /var/www/xyz.com.tr/musteri  -s /bin/bash -g sshd musteri

I created a user called musteri. I set its home folder and group. So, I want to integrate musteri users into "/var/www/xyz.com.tr/musteri". I don't want it to access another folder.

Improve this question
5
  • Do you want the user to have full shell access, or only file copying protocols like sftp and rsync? Commented Jun 21, 2011 at 9:10
  • If the latter, you might want to look into scponly as a shell, possibly operating in chroot mode to restrict his access to that directory and nowhere else. Commented Jun 21, 2011 at 10:12
  • 1
    @Gilles - I want to access through sftp. But,I don't want it to access another folder. Commented Jun 21, 2011 at 11:06
  • 2
    @Cell-o: If you only need a few file transfer protocols and not shells, use chroot plus scponly or rssh (Google scponly chroot or rssh chroot should lead you to howtos). Commented Jun 21, 2011 at 11:47
  • How about using ACLs? Commented Jun 21, 2011 at 14:23

2 Answers 2

Reset to default
21

It sounds like you want your müşteriler to have file transfer access to a folder without actually giving them shells. This is a good thing because as binfalse pointed out, giving people shells with limited access is tricky because shells need to access all kinds of things scattered on the system just to run.

In order to give SFTP access to a specific folder, you can do something like this.

  1. Add a new group to the system, say 'sftponly'.
  2. Add any users on your system that should have restricted rights to this group. You could also give them restricted shells like /bin/true, but it's not required.
  3. Change your ssh config file (Usually /etc/ssh/sshd_config) with these lines
    Subsystem sftp internal-sftp

    Match Group sftponly
        ChrootDirectory %h
        AllowTCPForwarding no
        X11Forwarding no
        ForceCommand internal-sftp

This would activate the sftp subsystem inside of SSH and force members of that system group to use only that system when logging in. It would also chroot them to their home directories. You could change that to be a sub-folder of their home-directores as well with something like ChrootDirectory %h/musteri_sftp so that they couldn't se the rest of their system files but would login directly to a special subfolder of their home folder.

Kolay gelsin.

Improve this answer
5
  • Öncelikle teşekkürler. ;) As you mentioned,I set up SFTP.But,I have a problem regarding iptables.Here is my rule. -> A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT Commented Jun 21, 2011 at 18:06
  • 1
    Birşey değil. While FTP would use port 21, SFTP is an ftp like protocol that runs over the SSH channel, so it is going to use the SSH port which by default is 22. Commented Jun 21, 2011 at 18:18
  • 1
    Note that you should also locate and comment out any previously existing Subsystem command (e.g. Subsystem sftp /usr/lib/openssh/sftp-server) Commented Nov 2, 2016 at 10:36
  • 2
    Solved my problem AND learned some handy Turkish phrases! Bonus! Commented Oct 5, 2017 at 1:15
  • I needed to create a special directory owned by root and only writable by root for this to work. Then I configured sshd ChrootDirectory /owned/by/root/%h I was then able to create a directory within the users home directory which was owned by this user and therefore able to upload files to this directory Commented Feb 13 at 16:02
4

In my opinion this is very difficult, if not impossible. When the user connects via SSH he at least needs a shell, in your case the bash. To execute /bin/bash he needs permissions to access /bin. bash itself needs to read some stuff from /etc (e.g. /etc/bash.bashrc), so the user needs also access to /etc. Assuming the user doesn't only want to hang around in this directory, he might want to read a file, but to execute for example vim he needs also access to /usr/bin.
This is just a slight demonstration, there are some more dependencies, e.g. I don't really know what will happen if the user doesn't have access to /tmp..

You should think about your intention. Do you just want somebody to have read/write access to a part of your web service? Then you might set up something like FTP to export a specific directory to this user. So he is able to read/write this files without SSH access.
Another nice solution would be a repository. For example set up a GIT repo and let the user clone it. He can do his changes locally and send you a patch. You can decide whether to apply this patch or not, a rollback for buggy patches is also very easy.

Improve this answer
3
  • rbash is designed to do exactly this. Commented Jun 21, 2011 at 19:47
  • This thing is called a restricted shell. But since Cell-o only wants to allow file transfers, it's not the right tool. Commented Jun 21, 2011 at 20:45
  • I just want to create a Deploy user for a Github deploy pipeline. So actually Github will transfer the files with Github actions to my production server's live directory /var/www/example.com/live So the Deploy user shall be restricted to only this directory and shall not have shell access. Just in case someone finds this user. So is this correct? sudo ln -s /bin/bash /bin/rbash sudo useradd -s /bin/rbash -d /var/www/example.com/live deployuser sudo chmod -R 755 /var/www/example.com/live Commented Jul 16, 2021 at 2:25

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.