Effectively limiting SFTP users to specific directories is a crucial security measure in Linux environments. By configuring the SSH daemon, you can ensure that users connecting via SFTP are restricted to a designated directory and cannot navigate the entire file system. This prevents unauthorized access to sensitive files and directories.
The core method involves using SSH’s built-in chroot functionality combined with forcing the connection to use the internal-sftp subsystem. This approach is generally preferred over older methods using shell scripts because it’s more secure and integrated.
Here’s how to set it up:
First, you’ll typically want to create a dedicated group for your SFTP-only users. This makes managing multiple restricted users easier.
Next, create the user who will have restricted SFTP access. Ensure they are added to the group you just created. You might also want to prevent them from having normal shell access, which can be done by assigning a non-interactive shell like /sbin/nologin or /bin/false.
The main configuration happens in the SSH daemon’s configuration file, typically located at /etc/ssh/sshd_config. You need to add a Match block to apply specific settings only to users in your designated SFTP group.
Inside the Match block for your SFTP group, add the following crucial directives:
ChrootDirectory: This specifies the directory that will serve as the root (/) for the SFTP user’s session. The path specified must be owned by the root user and must not be writable by the user or group being matched. For example,/var/sftp/. You can use%uin the path, which will be replaced by the username (e.g.,/var/sftp/%u), allowing each user to be chrooted into their own subdirectory within a root-owned parent.ForceCommand internal-sftp: This forces any connection for these users to run the integrated SFTP server and prevents them from getting a shell or running other commands.- You should also disable features not needed for SFTP, such as
AllowTCPForwarding noandX11Forwarding no.
After configuring sshd_config, you need to create the directory structure you specified in ChrootDirectory. If your ChrootDirectory is /var/sftp/%u, you would create /var/sftp. This directory (/var/sftp in this example) must be owned by root and have strict permissions (e.g., chmod 755).
Inside this root-owned directory, you can then create the directories where the users will actually upload/download files. For example, if ChrootDirectory is /var/sftp/%u, you would create /var/sftp/username. This directory can then be owned by the user and their group (chown username:sftpusers /var/sftp/username) and given appropriate permissions (e.g., chmod 775) to allow writing.
Finally, restart the SSH service to apply the changes. The command varies depending on your Linux distribution (e.g., systemctl restart sshd on systemd systems).
Once the service is restarted, the restricted SFTP users should only be able to access files and directories within their designated ChrootDirectory, effectively limiting their access and enhancing the security of your server. Testing the configuration thoroughly with the restricted user account is highly recommended.
Source: https://kifarunix.com/restrict-sftp-user-access-to-specific-directories-in-linux/
