{"id":5225,"date":"2020-03-16T23:07:03","date_gmt":"2020-03-16T20:07:03","guid":{"rendered":"https:\/\/kifarunix.com\/?p=5225"},"modified":"2023-12-18T19:48:52","modified_gmt":"2023-12-18T16:48:52","slug":"restrict-sftp-user-access-to-specific-directories-in-linux","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/restrict-sftp-user-access-to-specific-directories-in-linux\/","title":{"rendered":"Restrict SFTP User Access to Specific Directories in Linux"},"content":{"rendered":"\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1042\" height=\"585\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/12\/restrict-sftp-access.png?v=1702917929\" alt=\"Restrict SFTP User Access to Specific Directories in Linux\" class=\"wp-image-19695\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/12\/restrict-sftp-access.png?v=1702917929 1042w, https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/12\/restrict-sftp-access-768x431.png?v=1702917929 768w\" sizes=\"(max-width: 1042px) 100vw, 1042px\" \/><\/figure>\n\n\n\n<p>In this guide, we are going to learn how to restrict SFTP user access to specific directories in Linux systems. <a aria-label=\"SFTP, an acronym for Secure File Transfer Protocol (opens in a new tab)\" href=\"https:\/\/www.ssh.com\/ssh\/sftp\" target=\"_blank\" rel=\"noreferrer noopener\">SFTP, an acronym for Secure File Transfer Protocol<\/a> is a secure file transfer protocol that runs over SSH. It offers all the features offered by the legacy FTP protocol but in a more secure manner.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#restrict-sftp-user-access-to-specific-directories-in-linux\">Restrict SFTP User Access to Specific Directories in Linux<\/a><ul><li><a href=\"#install-open-ssh-server\">Install OpenSSH Server<\/a><\/li><li><a href=\"#create-unprivileged-sftp-user-account\">Create Unprivileged SFTP User Account<\/a><\/li><li><a href=\"#restrict-sftp-user-access-to-directory-with-chroot-jail\">Restrict SFTP User Access to Directory with Chroot Jail<\/a><\/li><li><a href=\"#how-to-restrict-sftp-user-to-read-only-access\">How to Restrict SFTP User to read-only Access<\/a><\/li><li><a href=\"#restart-ssh-service\">Restart SSH service<\/a><\/li><li><a href=\"#verifying-sftp-user-restricted-directory-access\">Verifying SFTP User Restricted Directory Access<\/a><\/li><li><a href=\"#related-tutorials\">Related Tutorials<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"restrict-sftp-user-access-to-specific-directories-in-linux\">Restrict SFTP User Access to Specific Directories in Linux<\/h2>\n\n\n\n<p>In order to restrict SFTP user access to specific directories in Linux, SFTP chroot jails are used. The SFTP chroot jail ensures that an SFTP user, onced login to a system, is confined only to specific directories with no access to other directories on the system.<\/p>\n\n\n\n<p>OpenSSH comes with the support for SFTP chroot jails by default.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-open-ssh-server\">Install OpenSSH Server<\/h3>\n\n\n\n<p>In order to be able to configure restricted directory access for SFTP users, ensure that OpenSSH server is installed.<\/p>\n\n\n\n<p>OpenSSH Server can be installed by running the command belows;<\/p>\n\n\n\n<p>On CentOS and Other RHEL derivatives;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>yum -y install openssh-server openssh-clients<\/code><\/pre>\n\n\n\n<p>On Ubuntu and Other Debian derivatives;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt install openssh-server -y<\/code><\/pre>\n\n\n\n<p>For other Linux distros, consult your distro guide on how to install OpenSSH server.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"create-unprivileged-sftp-user-account\">Create Unprivileged SFTP User Account<\/h3>\n\n\n\n<p>Create a group to assign SFTP user accounts to. <strong>Note that this is not necessary as the directories you will be assigning the user may already have specific group assigned to them<\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>groupadd sftpgroup<\/code><\/pre>\n\n\n\n<p>Next, create a less privileged account for an SFTP user. Replace the username accordingly;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>useradd -M -g sftpgroup -s \/usr\/sbin\/nologin sftpuser<\/code><\/pre>\n\n\n\n<p>If for example you are restricting SFTP user access to web server directories like Nginx and Apache root directories, that are already owned by the group <code>nginx<\/code>, <code>apache<\/code> or <code>www-data<\/code>, you would simply set the primary group of the user by replacing the <code>sftpgroup<\/code> with either <code>nginx<\/code>, <code>apache<\/code> or <code>www-data<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>useradd -M -g nginx -s \/usr\/sbin\/nologin sftpuser<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>useradd -M -g apache -s \/usr\/sbin\/nologin sftpuser<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>useradd -M -g www-data -s \/usr\/sbin\/nologin sftpuser<\/code><\/pre>\n\n\n\n<p>You can as well be able to change the user&#8217;s primary group using the <code>usermod<\/code> command. For example, to change the default group of an <code>sftpuser<\/code> to <code>apache<\/code>, simply run;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>usermod -g apache sftpuser<\/code><\/pre>\n\n\n\n<p>Note that the group must exist for the command above to succeed.<\/p>\n\n\n\n<p>You can also add sftpuser to an existing group (Secondary group).<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>usermod -aG apache sftpuser<\/code><\/pre>\n\n\n\n<p>Create a password for the user to unlock its account.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>passwd sftpuser<\/code><\/pre>\n\n\n\n<p>Verify the groups the user belong to;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>groups sftpuser<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sftpuser : <strong>www-data<\/strong><\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"restrict-sftp-user-access-to-directory-with-chroot-jail\">Restrict SFTP User Access to Directory with Chroot Jail<\/h3>\n\n\n\n<p>Once you have an SFTP user with primary group set to be similar with the group of the directory you are limiting access to, you can configure the Chroot jain using OpenSSH.<\/p>\n\n\n\n<p>OpenSSH enables you to specify pathname of a directory to which the user will be confined to after authentication through the use of the <code><strong>ChrootDirectory<\/strong><\/code> parameter.<\/p>\n\n\n\n<p>Open the SSH configuration file for editing;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/ssh\/sshd_config<\/code><\/pre>\n\n\n\n<p>Enable SSH in-process SFTP server by commenting (add # at the beginning) the following line&#8230;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code># override default of no subsystems\nSubsystem      sftp    \/usr\/libexec\/openssh\/sftp-server<\/code><\/pre>\n\n\n\n<p> &#8230; and replacing it as follows;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code><strong>Subsystem sftp  internal-sftp<\/strong><\/code><\/pre>\n\n\n\n<p>Next, add the following configuration options after the line above;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>Match User sftpuser\n  ChrootDirectory \/var\/www\/html\/\n  ForceCommand internal-sftp\n  AllowTcpForwarding no\n  X11Forwarding no\n<\/code><\/pre>\n\n\n\n<p>Such that you configuration looks like;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>...\n# override default of no subsystems\n#Subsystem      sftp    \/usr\/libexec\/openssh\/sftp-server\n<strong>Subsystem sftp  internal-sftp\nMatch User sftpuser\n  ChrootDirectory \/var\/www\/html\/\n  ForceCommand internal-sftp\n  AllowTcpForwarding no\n  X11Forwarding no<\/strong>\n...\n<\/code><\/pre>\n\n\n\n<p>Note the directory name assigned to <code><strong>ChrootDirectory<\/strong><\/code>. This specifies the directory to which the user, specified by the <code><strong>Match User<\/strong><\/code> option has access. In this case, the directory is <code><strong>\/var\/www\/html\/kifarunix<\/strong><\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ls -alhd \/var\/www\/html\/kifarunix\/<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>drwxr-xr-x 5 www-data <strong>www-data<\/strong> 4.0K Mar 16 14:59 <strong>\/var\/www\/html\/kifarunix\/<\/strong><\/code><\/pre>\n\n\n\n<p>Also pay attention here:<\/p>\n\n\n\n<p><strong><code>man sshd_config<\/code><\/strong>:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>ChrootDirectory<\/strong> <strong>Specifies the pathname of a directory to chroot(2) to after authentication.  At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group.  After the chroot, sshd(8) changes the working directory to the user&#8217;s home directory.<\/strong><\/p>\n<\/blockquote>\n\n\n\n<p>The\u00a0bind\u00a0path, in this case, <strong><code>\/var\/www\/html<\/code><\/strong>, therefore needs to be <strong>fully owned by\u00a0<code>root<\/code><\/strong> to ensure that the SFTP user has no access beyond its chroot jail.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ls -alh \/var\/www\/html<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>total 4.0K\ndrwxr-xr-x. 4 root   root     34 Mar 16 21:56 .\n<strong>drwxr-xr-x. 4 root   root     33 Mar 12 15:20 ..<\/strong>\n<strong>drwxr-xr-x. 5 apache apache 4.0K Mar 16 21:56 kifarunix<\/strong><\/code><\/pre>\n\n\n\n<p>For more explanation on options used, simply consult, <code><strong>man sshd_config<\/strong><\/code>.<\/p>\n\n\n\n<p>If you need to specify a specific group, simply replace the line, <strong><code>Match User sftpuser<\/code><\/strong> with <code><strong>Match Group sftpgroup<\/strong><\/code> replacing the names of the group accordingly.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"how-to-restrict-sftp-user-to-read-only-access\">How to Restrict SFTP User to read-only Access<\/h3>\n\n\n\n<p>You can restrict sftp user to read-only access by updating the line below from;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  ForceCommand internal-sftp<\/code><\/pre>\n\n\n\n<p>To;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  ForceCommand internal-sftp <strong>-R<\/strong><\/code><\/pre>\n\n\n\n<p>This option restricts the client to read-only access within the chrooted environment.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"restart-ssh-service\">Restart SSH service<\/h3>\n\n\n\n<p>Check SSH configurations for any errors;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sshd -t<\/code><\/pre>\n\n\n\n<p>If the configuration file contains no syntax errors, the command will produce no output and return to the command prompt. If there are any syntax errors, it will print an error message indicating the location and nature of the error.<\/p>\n\n\n\n<p>If no error;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart sshd<\/pre>\n\n\n\n<p>or<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart ssh<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"verifying-sftp-user-restricted-directory-access\">Verifying SFTP User Restricted Directory Access<\/h3>\n\n\n\n<p>Note that, in our setup above, we have restricted access for the SFTP user, <strong><code>sftpuser<\/code><\/strong> to the web server root directory, <strong><code>\/var\/www\/html\/kifarunix<\/code><\/strong>.<\/p>\n\n\n\n<p>To verify the access controls, login as SFTP user. Relace the username and server_IP accordingly;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sftp sftpuser@server_IP<\/code><\/pre>\n\n\n\n<p>If SSH is running on non default port, you need to specify the port;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sftp -P port sftpuser@server_IP<\/code><\/pre>\n\n\n\n<p>Once you login, check the current working directory;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sftp> pwd\nRemote working directory: \/\nsftp><\/pre>\n\n\n\n<p>List the contents<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sftp> ls\nkifarunix  \nsftp><\/pre>\n\n\n\n<p>Notice the sub-directory under the ChrootDirectory.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>sftp> cd ..\/..\/\nsftp> pwd\nRemote working directory: \/\nsftp> ls\nkifarunix  \nsftp>\n<\/code><\/pre>\n\n\n\n<p>As you can see from the output of the command above, the sftpuser has no access outside the specified directory and that is how simple it is to restrict access of an SFTP user to a specific directory.<\/p>\n\n\n\n<p>That marks the end of our on how to restrict SFTP User Access to Specific Directories in Linux.<\/p>\n\n\n\n<p>You can also read about SFTP chroot on <a rel=\"noreferrer noopener\" aria-label=\"HowTo: chroot SFTP (only) (opens in a new tab)\" href=\"https:\/\/www.minstrel.org.uk\/papers\/sftp\/\" target=\"_blank\">HowTo: chroot SFTP (only)<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"related-tutorials\">Related Tutorials<\/h3>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/run-only-specific-commands-with-sudo-in-linux\/\" target=\"_blank\">Run only Specific Commands with sudo in Linux<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/how-to-add-users-to-sudo-group-in-linux\/\" target=\"_blank\">How to Add Users to sudo group in Linux<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/using-find-command-to-search-for-files-and-directories-in-linux\/\" target=\"_blank\">Using Find Command to Search for Files and Directories in Linux<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/connect-to-wifi-in-linux-using-nmcli-command\/\" target=\"_blank\">Connect to WiFi in Linux Using NMCLI command<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this guide, we are going to learn how to restrict SFTP user access to specific directories in Linux systems. SFTP, an acronym for Secure<\/p>\n","protected":false},"author":1,"featured_media":19695,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,49,362],"tags":[1107,1357,1351,1354,1356,1353,7345,1352,71],"class_list":["post-5225","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-command-cheatsheets","category-ssh","tag-linux","tag-restrict-access-to-directory-sftp-linux","tag-sftp","tag-sftp-chroot","tag-sftp-chroot-jail","tag-sftp-directory","tag-sftp-read-only-user","tag-sftp-restrict-directory-access","tag-ssh","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5225"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=5225"}],"version-history":[{"count":9,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5225\/revisions"}],"predecessor-version":[{"id":19696,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5225\/revisions\/19696"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/19695"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=5225"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=5225"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=5225"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}