Restrict FTP user to a directory

ubuntu ssh users ftp sftp

50,163

Solution 1

The best way, is to use SFTP from SSH and jail the user.

in file: /etc/ssh/sshd_config

make sure this line is uncomented:

Subsystem sftp internal-sftp

Then configure the rule to match a group:

Match group sftponly
         ChrootDirectory /home/%u
         X11Forwarding no
         AllowTcpForwarding no
         ForceCommand internal-sftp

and lastly manage the users:

# chown root.root /home/user
# usermod -d / user
# adduser user sftponly

Source: http://www.debian-administration.org/articles/590

Solution 2

A bit late in the day but it may help others in the future. I installed VSFTPD and edited the configuration file vsftpd.conf so it includes:-

chroot_local_user=YES
allow_writeable_chroot=YES

You need to restart the service after editings:-

service vsftpd restart

The FTP Users are restricted to Home Directory specified when adding them.

50,163

romainberger

Updated on September 18, 2022

Comments

romainberger over 1 year

On a Ubuntu 11.04 server, I want to restrict a user to a specific directory (so he can't access the parents' directory) for FTP/ssh. I created the user with adduser username and changed the target directory with usermod -d /home/path/to/directory username. This worked perfectly.

From what I found I have to modify a /etc/ftp/ftpaccess file but the file (and the ftp) directory does not exist. I tried creating it but it didn't change anything. Also I only want to restrict this user and not the others.

Any ideas?
- Admin over 3 years
  
  Hey one query, if the session is an anonymous one. How can I limit it to a specific directory.?
elacheche almost 11 years

help.ubuntu.com/community/vsftpd ***** help.ubuntu.com/community/PureFTP ***** help.ubuntu.com/community/ProFTPD
romainberger almost 11 years

The ssh / sftp login works, I just want to restrict the user to a directory
reallynice over 9 years

For not affecting the usage of sftp for users that belong to a group other than "sftponly" (i.e. keeping), could I specify the Subsystem command inside the match, leaving the previous configuration unchanged?
roaima almost 8 years

Are you saying that /etc/ftpaccess is the correct path to the configuration file? What should this guestuser option look like?
grochmal almost 8 years

OP cannot find the ftpaccess file, and that is quite likely since there are several ftp implementations out there. You should outline at least on implementation (preferably several) and tell how to make a distinction between them.
Rudresh Dixit over 3 years

Hey one query, if the session is an anonymous one. How can I limit it to a specific directory.?