How to create a SFTP (SSH) User with extremely limited permissions

server permissions ssh sftp

49,617

Let's start

Create user ubuntu

sudo useradd ubuntu

Make password

sudo passwd ubuntu
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully

Create for SFTP only group

xxx@xxx:~$ sudo groupadd sftp_users

Add to a user "ubuntu" for SFTP only group

xxx@xxx:~$ sudo usermod -G sftp_users ubuntu

Make dir for sftp access

sudo mkdir /ubuntu

Change owner, because read/write permission

sudo chown root.root /ubuntu/

Add permission

sudo chmod 755 /ubuntu/

Edit /etc/ssh/sshd_config

sudo nano /etc/ssh/sshd_config

Comment out and add a line like below

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

Add at the last

Match Group sftp_users
  X11Forwarding no
  AllowTcpForwarding no
  ChrootDirectory /ubuntu
  ForceCommand internal-sftp

Restart ssh service

sudo service ssh restart

With this cenfiguration you can ssh into folder ubuntu and get files. Can not put or delete

Try.

Edit 1

To sftp in right folder edit /etc/passwd. Change line for user ubuntu to look like this

sudo nano /etc/passwd

 ubuntu:x:1001:1001::/ubuntu:

This will change user ubuntu home folder to your sftp server folder.

Enabling root account is not good idea.

You can ssh to server with user1.

If you add user user1 in sudoer group you will be able to write in folder /ubuntu/ and set appropriate permission

sudo adduser user1 sudo

Make folder, write in folder ubuntu. After actions you must set permission for user ubuntu. Easiest way is to agai set permission to 755

sudo chmod 755 -R /ubuntu/

-R - option will give reading permission of all files and dir's for user ubuntu

49,617

BlueStarry

Updated on September 18, 2022

Comments

BlueStarry over 1 year

i run a server on Ubuntu Server 14.04. I want to create a user that is able to connect via sftp, download 1 file and terminate the connection. The user should not be able to do ANYTHING else. Browsing system files or settings nor command line entries, nothing. Log in, download the file, gg. When the file is updated, log in download it, gg. The file is in the same directory every time and has the same name every time but is updated.

EDIT: I'm trying to implement your solution but i've found some problems: On the config file of the ssh on my configuration there is a line with "allow groups sshdusers". I've added sftp_users. But there's another problem ahead. sudo chown root.root /ubuntu/ is not optimal for me because root is not able to ssh and write to the directory the file that "ubuntu" has to download (we will call it user1. I want user1 to be able to write on the directory and ubuntu to read only. If i change sudo chown user1.user1 /ubuntu/ and i try to sftp with the user ubuntu the connection fails. If i leave it root as you do i can connect but i can't see the currentdirectory i see only / and empy on filezilla. i've even added user1 to sftp_users, but still no success.

Many thanks
BlueStarry almost 9 years

Many thanks to you. See my edit for more, as the comments are really tight.
2707974 almost 9 years

You have Edit 1 in my answer.
BlueStarry almost 9 years

I'm sorry to say that it doesn't work. With filezilla sftp i can't write on the folder with user1 nor ubuntu. logging in with ubuntu via sftp gives me the / folder despite the last modifications. i've tried multiple times and i can't figure out the problem.
BlueStarry almost 9 years

I think also that 755 is not good for this purpose because the owner is root and sudoers cannot write in the folder with 755
Auspex almost 5 years

Even back in 2015, I'm sure Ubuntu was using adduser and addgroup, rather than useradd, groupadd, etc. The sudo chown root.root /ubuntu/ is just wrong. You created the directory using sudo, so the ownership is already root. It should use ubuntu.sftp_users. Finally, if you'd initially created it as owned by ubuntu, everything from "Enabling root user…" is superfluous.