Create new ssh user account to access specific folder only

server permissions ssh apache2 php

25,597

You should be able to accomplish this with

adduser --home /var/www/specific_folder --shell /bin/bash --no-create-home --ingroup www-data --ingroup ssh tonya

adduser is used to add a user
--home specifies home directory which is where the user will be when they log in
--shell is to specify the shell, by default it is usually just /bin/sh which is not as user friendly as /bin/bash
--no-create-home will not create the home directory so you must use one that already exists
--ingroup adds the user to specified group
the last argument is the username

You could make the user jailed using this guide:

Restrict SSH User Access to Certain Directory Using Chrooted Jail

Please remember that even if you jail a user, it is very possible to escape a jail. If you're giving a user access to your system, you may as well be giving them root access because once they have shell access, it's almost always possible to gain root. Setting up a jail will most likely keep a basic user from doing anything too harmful but will do little to nothing to stop a malicious user from doing harmful stuff.

25,597

simple guy

Updated on September 18, 2022

Comments

simple guy over 1 year
I have an apache2 server running on ubuntu 16.04, for now everytime i access my project files inside a specific folder i use root user for running php function and edit some files, after i finish i need to run chown -R www-data:www-data . inside a terminal, because after i run my php function the file owner will become user:user (root:root). what i need is:
1. Create new user for my server
2. When access my server using ssh this user will be inside a specific folder automatically
3. Grant this user a permission to do anything inside this specific folder
For example, Create a user named tonya, when someone access server using user tonya ssh [email protected], he will be redirected to /var/www/specific_folder, user tonya can do anything inside this folder and when tonya set the php file owner or folder to tonya:www-data it will work like when i set the file owner to www-data:www-data
- Panther about 6 years
  
  See also askubuntu.com/questions/46331/…
simple guy about 6 years

why there's 2 ingroup? how can this user get my root access?
Desultory about 6 years

one ingroup for ssh and one for www-data, and I'm not saying that they will be able to get root access but you should never allow a user on your system if you don't trust them because once they have shell access on your system, they're 50% the way to root basically. New exploits are discovered daily and because of that, you can never consider a system to be secure.
simple guy about 6 years

@Desultroy when i change my php file owner from www-data:www-data to tonya:www-data it gives me a file permission error , when i try to access the php from browser
Desultory about 6 years

You should probably change the permissions of the file so that it is group based and not owner based. I don't know if php requires the execute permission but it definitely needs the read permission. Permissions can be explained here: help.ubuntu.com/community/FilePermissions