How to create a SFTP (SSH) User with extremely limited permissions
Let's start
Create user ubuntu
sudo useradd ubuntu
Make password
sudo passwd ubuntu
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Create for SFTP only group
xxx@xxx:~$ sudo groupadd sftp_users
Add to a user "ubuntu" for SFTP only group
xxx@xxx:~$ sudo usermod -G sftp_users ubuntu
Make dir for sftp
access
sudo mkdir /ubuntu
Change owner, because read/write permission
sudo chown root.root /ubuntu/
Add permission
sudo chmod 755 /ubuntu/
Edit /etc/ssh/sshd_config
sudo nano /etc/ssh/sshd_config
Comment out and add a line like below
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
Add at the last
Match Group sftp_users
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory /ubuntu
ForceCommand internal-sftp
Restart ssh
service
sudo service ssh restart
With this cenfiguration you can ssh into folder ubuntu
and get files. Can not put
or delete
Try.
Edit 1
To sftp in right folder edit /etc/passwd
. Change line for user ubuntu
to look like this
sudo nano /etc/passwd
ubuntu:x:1001:1001::/ubuntu:
This will change user ubuntu home folder to your sftp server folder.
Enabling
root
account is not good idea.
You can ssh to server with user1
.
If you add user user1
in sudoer group
you will be able to write in
folder /ubuntu/
and set appropriate permission
sudo adduser user1 sudo
Make folder, write in folder ubuntu. After actions you must set permission for user ubuntu
. Easiest way is to agai set permission to 755
sudo chmod 755 -R /ubuntu/
-R - option will give reading permission of all files and dir's for user ubuntu
Related videos on Youtube
BlueStarry
Updated on September 18, 2022Comments
-
BlueStarry over 1 year
i run a server on Ubuntu Server 14.04. I want to create a user that is able to connect via sftp, download 1 file and terminate the connection. The user should not be able to do ANYTHING else. Browsing system files or settings nor command line entries, nothing. Log in, download the file, gg. When the file is updated, log in download it, gg. The file is in the same directory every time and has the same name every time but is updated.
EDIT: I'm trying to implement your solution but i've found some problems: On the config file of the ssh on my configuration there is a line with "allow groups sshdusers". I've added sftp_users. But there's another problem ahead. sudo chown root.root /ubuntu/ is not optimal for me because root is not able to ssh and write to the directory the file that "ubuntu" has to download (we will call it user1. I want user1 to be able to write on the directory and ubuntu to read only. If i change sudo chown user1.user1 /ubuntu/ and i try to sftp with the user ubuntu the connection fails. If i leave it root as you do i can connect but i can't see the currentdirectory i see only / and empy on filezilla. i've even added user1 to sftp_users, but still no success.
Many thanks
-
BlueStarry almost 9 yearsMany thanks to you. See my edit for more, as the comments are really tight.
-
2707974 almost 9 yearsYou have Edit 1 in my answer.
-
BlueStarry almost 9 yearsI'm sorry to say that it doesn't work. With filezilla sftp i can't write on the folder with user1 nor ubuntu. logging in with ubuntu via sftp gives me the / folder despite the last modifications. i've tried multiple times and i can't figure out the problem.
-
BlueStarry almost 9 yearsI think also that 755 is not good for this purpose because the owner is root and sudoers cannot write in the folder with 755
-
Auspex almost 5 yearsEven back in 2015, I'm sure Ubuntu was using
adduser
andaddgroup
, rather thanuseradd
,groupadd
, etc. Thesudo chown root.root /ubuntu/
is just wrong. You created the directory usingsudo
, so the ownership is alreadyroot
. It should useubuntu.sftp_users
. Finally, if you'd initially created it as owned byubuntu
, everything from "Enabling root user…" is superfluous.