How to restrict a linux user to read only specific folder

linux ssh users debian

22,547

Okay, first off, change that directory structure to:

/home/testserver/vehicles
/home/testserver/images
/home/testserver/dump

Then execute

chown root.root /home/testserver /home/testserver/vehicles /home/testserver/images
chmod 755 /home/testserver
chown testuser.testserver /home/testserver/dump
chmod 775 /home/testserver/dump

Finally, alter the ChrootDirectory directive line in /etc/ssh/sshd_config to

ChrootDirectory /home/testserver

I also recommend that you do a great deal of reading and brushing up on linux system administration in general, as your question and the things you attempted to do so far indicate "cargo cult" administration -- copy/pasting advanced administration tricks without understanding what they do or how they do it in the hope that they'll do what you want. This can very easily lead to disasters that you'll have no idea how to fix.

22,547

Freny Christian

Updated on September 18, 2022

Comments

Freny Christian over 1 year
I want to create a user that have only access to the following directories and can't see nothing else
```
/home/vehicles/ #read only
/home/images/  #read only
/home/dump/ #read and write
```
I used this link https://unix.stackexchange.com/questions/15360/how-to-add-a-ssh-user-who-only-has-permissions-to-access-specific-folder

so that I create a user group called testserver
```
 Match Group testserver
        ChrootDirectory %h
        AllowTCPForwarding no
        X11Forwarding no
        ForceCommand internal-sftp
```
and the chmod of those folders like the following
```
chmod -R 755 /home/vehicles/
chmod -R 755 /home/images/
chmod -R 765 /home/dump/
```
Everything went good except that testuser is still able to access other folders, how I prevent this user from accessing other folder(i.e only access those three folders)
- Shadur over 12 years
  
  ChrootDirectory only works if the target directory is owned by root -- and unless the home directory of testuser is /home itself that'll just lock them into their home directory.
Admin over 12 years

btw when I execute the following command egrep -i "^testuser" /etc/passwd it's output testuser:x:1002:1003:Test User,,,:/home/testuser:/bin/bash
Freny Christian over 12 years

Thanks a lot for your answer But it still can access other files, I there exist a way to block this user from accessing anything else except /home/testserver/??
Shadur over 12 years

Is /home/testserver/ owned by root.root ?
Freny Christian over 12 years

yes, but dump folder is owned by testuser
Shadur over 12 years

If you set up the ChrootDirectory /home/testserver directive and that directory is owned by root then the internal-sftp force command should keep it properly rooted in /home/testserver and only able to access /dump/, /vehicles/ and /images/
Freny Christian over 12 years

yes when I logged in, it directs me to /home/testuser then I changed the directory to the parent folder cd /home and suddenly I am able to access any folder according to it's permission for example those folders drwx---r-x 5 root root 4096 Oct 25 08:00 lib_dataDownloader drwx---r-x 2 root root 4096 Oct 24 07:54 localX
Freny Christian over 12 years

or folder like that /home/scripts drwxrwxrwx 3 root root 4096 Oct 19 03:28 scripts