Spain
Portugal
How to restrict server users' access to a specific directory in Linux
Do I need to block the Linux server so that certain remote users can only access a certain directory and only download and upload files?
Let's look at how to do this.
When you have a server with SSH access, unless you have configured it otherwise, any user with an account on this system can log in and, if they have the rights and skills, wreak havoc on your server.
What you can do is restrict these users with a chroot jail.
By doing this, you significantly limit the capabilities of these users in your system.
In fact, any user restricted by chroot jail can:
Get access to the server only via sftp
get access only to a specific directory
What you will need
To make it work, you will need a running Linux instance and a user with sudo privileges.
That's all.
Let's do the magic of security.
How to create a restricted access group and add users on a Linux server
The first thing we need to do is create a new group and add users to it.
Create a group:
sudo groupadd restricted
Then add the user to the group using the command:
sudo usermod -g restricted USERNAME
Where USERNAME is the user you want to add to the restricted access group.
How to set up SSH
Open the SSH daemon configuration file with:
sudo nano /etc/ssh/sshd_config
Find the line (near the bottom):
Subsystem sftp /usr/lib/openssh/sftp-server
Change this line to:
Subsystem sftp internal-sftp
At the bottom of the file, add the following:
Match group restricted
ChrootDirectory /home/
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
Save and close the file.
Restart SSH with:
sudo systemctl restart ssh
Now go back to the other machine and try to log in to the server via SSH with the user, for example:
ssh [email protected]
You will see a warning:
This service allows sftp connections only. Connection to 192.168.1.147 closed.
In order for any user from the restricted access group to log in to the server, they must use sftp as follows:
sftp USERNAME@SERVER
Where USERNAME is the user name, and SERVER is the IP address or domain of the server.
After successfully logging in, they will find themselves in an sftp prompt where they can transfer files back and forth using the put and get commands.
Limited users can only upload files to their home directories.
When a user with limited rights logs in, it is located in the /home directory.
Therefore, for a successful download, they will have to go to their home directory by running a command like:
cd olivia
Once in your home directory, you can run a command like:
put file1
As long as this file is in the current working directory of the machine from which they logged on to the server, it will load normally.
If these users only need to upload files to the local machine, they can use a command such as:
get file1
I understand that this is a very limited configuration with very limited use cases, but at some point in your Linux admin career you will encounter a situation where you will need to restrict users from logging into chroot jail.
This is one way to do it.
