Create an SSH user who only has permission to access specific folders
Solution 1
This is simple. Just create a new user with its home directory set to the one you need him to have access to (this command must be run under sudo or in root shell):
adduser --home /restricted/directory restricted_user
This will create a user restricted_user, the directory /restricted/directory and then permissions on the directory will be set so the user can write to it. It won't have an ability to write to any other directory by default.
If you have the directory already, you can run adduser command with a --no-create-home option appended and set permissions manually (also with root privileges), like:
chown restricted_user:restricted_user /restricted/directory
chmod 755 /restricted/directory
If you need to make even world-writable directories unaccessible for this user, there are two variants.
1) If you want to provide an interactive shell session to the user, then consider following this manual on creating a chroot jail (in your /restricted/directory).
After that, add the following to your sshd_config:
Match user restricted_user
ChrootDirectory /restricted/directory
2) If you only need him to copy files between his endpoint of connection and your host, everything is much easier. Add these lines at the end of your sshd_config:
Match user restricted_user
ForceCommand internal-sftp
ChrootDirectory /restricted/directory
Subsystem sftp internal-sftp
Then comment out the Subsystem sftp /usr/lib/openssh/sftp-server by placing a hash (#) sign at the start.
After restarting your SSH server (it does not kill interactive sessions on restart, so it is safe even if you misconfigured something; also, does not close your running session before you have checked that you are still able to log in), everything should work as intended.
Solution 2
The easiest way to create restricted user that cannot wander off the given directory (e.g., to the upper directory etc), and have a limited/picked set of command to use, is to use a Restricted Shell. Ref:
First, create a symlink called rbash (run as root user).
ln -s /bin/bash /bin/rbash
Then just create a normal user with this Restricted Shell, and set it's home dir to the desired folder:
useradd -s /bin/rbash -d /home/restricted_folder username
Even without the Restricted Shell, if you explicitly do not add this user to sudoer's list, or any special groups, then it will be limited by default.
With the Restricted Shell, the following are disallowed or not performed:
changing directories with cd
setting or unsetting the values of SHELL, PATH, ENV, or BASH_ENV
specifying command names containing /
specifying a file name containing a / as an argument to the . builtin command
Specifying a filename containing a slash as an argument to the -p option to the hash builtin command
importing function definitions from the shell environment at startup
parsing the value of SHELLOPTS from the shell environment at startup
redirecting output using the >, >|, <>, >&, &>, and >> redirect- ion operators
using the exec builtin command to replace the shell with another command
adding or deleting builtin commands with the -f and -d options to the enable builtin command
Using the enable builtin command to enable disabled shell builtins
specifying the -p option to the command builtin command
turning off restricted mode with set +r or set +o restricted.
These restrictions are enforced after any startup files
Moreover/Optionally, to restrict the user to a limited/picked set of command to use, you can create a .bash_profile read-only to that user, with
PATH=$HOME/bin
and symlink whatever commands you allows into the ~/bin folder to that user:
ln -s /bin/ls /home/restricted_folder/bin/ls
ln -s /bin/mkdir /home/restricted_folder/bin/mkdir
ln -s /bin/rm /home/restricted_folder/bin/rm
etc.
HTH
Related videos on Youtube
03 : 23
01 : 50
02 : 27
04 : 26
10 : 19
Walter Kelt
Updated on September 17, 2022Comments
-
Walter Kelt over 1 year
I installed SSH, but I found if I use my original account to login to Ubuntu, it has too many permissions.
I want to constrain the user to only have permissions for specific folders in Ubuntu. How can I configure such a user?
-
Walter Kelt almost 14 yearsI tried , but it seems that i can still cd .. and browse the upper directory. and when I use vi a.txt in the upper directory, it shows:press enter or command to continue, and i can not quit vi
-
flickerfly over 10 yearsCan I use option #2 if the user should only have sshfs access? -
My-Name-Is over 10 yearsEverything works fine, except that I have no write permission. How can I set a write permission for this restricted directory. If I use chmod 775, the user can't login anymore.
-
whitequark over 10 years@My-Name-Is you could create a subdirectory and set permissions as 775 on it
-
rebellion over 9 yearsI tried method 2, and got Write failed: Broken pipe when I try to log in.
-
Tik0 about 9 yearsYou should write theSubsystem sftp internal-sftpline in your second example above theMatchblock. Otherwise ssh will print out an error and does not start. -
bicycle almost 7 yearsSpoiler alert: does not work with scp
-
16851556 almost 5 yearsi can find any file on the filesystem, including /root directory and i can read these files. Wondering how to further restrict access of seeing anything outside user folder or capturing any network packets or reading /var/log contents
-
Jason Goal about 4 yearsCan that
/restricted/directorybe another a directory under another user's home directory? I have the root access of this machine. -
X99 over 3 yearsSir, I want to thank you for this amazing yet to simple solution. I fought a lot in the past with jails, my being to log onto my server with a user that has no right, except to "su - root". I always thought that jails were a bit to complicated to setup, and rbash really comes to the rescue! Thanks a lot!!
