Knowledgebase

How to Restrict SFTP Users to Home Directories Using chroot Jail?

The simplest way to do this, is to create a chrooted jail environment for SFTP access. This method is same for all Unix/Linux operating systems. Using chrooted environment, we can restrict users either to their home directory or to a specific directory.

 

Restrict Users to Home Directories

 

In this section, we will create new group called sftpgroup and assign correct ownership and permissions to user accounts. There are two choices to restrict users to home or specific directories, we will see both way in this article.

 

Create or Modify Users and Groups

 

Let us restrict the existing user, for example rootadminz, to his/her home directory named /home/rootadminz. For this, you need to create a new sftpgroup group using groupadd command as shown:

# groupadd sftpgroup

 

Next, assign the user ‘rootadminz’ to sftpgroup group.

# usermod -G sftpgroup rootadminz

 

You can also create a new user using useradd command, for example senthil and assign the user to sftpusers group.

# adduser senthil -g sftpgroup -s /sbin/nologin
# passwd rootadminz

 

Modify SSH Configuration File

 

Open and add the following lines to /etc/ssh/sshd_config configuration file.

Subsystem sftp internal-sftp
 
   Match Group sftpgroup
   ChrootDirectory /home
   ForceCommand internal-sftp
   X11Forwarding no
   AllowTcpForwarding no

 

Save and exit the file, restart sshd service to take new changes into effect.

# systemctl restart sshd
OR
# service sshd restart

 

If you chroot multiple users to the same directory, you should change the permissions of each user’s home directory in order to prevent all users to browse the home directories of the each other users.

# chmod 700 /home/rootadminz

 

Verify SSH and SFTP Users Login

 

Now, it’s time to check the login from a local system. Try to ssh your remote system from your local system.

# ssh rootadminz@192.168.1.150

 

Here,

rootadminz – remote system’s username.

192.168.1.150 – Remote system’s IP address.

 

Sample output:
--------------------------------------------------------------------------------------------------
rootadminz@192.168.1.150's password: 
Could not chdir to home directory /home/rootadminz: No such file or directory
This service allows sftp connections only.
Connection to 192.168.1.150 closed.

 

Then, access remote system using SFTP.

# sftp rootadminz@192.168.1.150

 

Sample output:
----------------------------------------------------------------
rootadminz@192.168.1.150's password: 
Connected to 192.168.1.150.
sftp>

 

Let us check the current working directory:

sftp&gt pwd
Remote working directory: /

sftp&gt ls
rootadminz  

 

Here, rootadminz is the home directory. Cd to the rootadminz directory and create the files or folders of your choice.

sftp&gt cd rootadminz
Remote working directory: /

sftp&gt mkdir test
rootadminz 

 

Restrict Users to a Specific Directory

 

In our previous example, we restrict the existing users to the home directory. Now, we will see how to restrict a new user to a custom directory.

 

Create Group and New Users

 

Create a new group sftpgroup.

# groupadd sftpgroup

 

Next, create a directory for SFTP group and assign permissions for the root user.

# mkdir -p /sftpusers/chroot
# chown root:root /sftpusers/chroot/

 

Next, create new directories for each user, to which they will have full access. For example, we will create  rootadminz user and it’s new home directory with correct group permission using following series of commands.

# adduser rootadminz -g sftpgroup -s /sbin/nologin
# passwd rootadminz
# mkdir /sftpusers/chroot/rootadminz
# chown rootadminz:sftpgroup /sftpusers/chroot/rootadminz/
# chmod 700 /sftpusers/chroot/rootadminz/

 

Configure SSH for SFTP Access

 

Modify or add the following lines at the end of the file:

#Subsystem  	sftp	/usr/libexec/openssh/sftp-server
Subsystem sftp  internal-sftp
 
Match Group sftpgroup
   ChrootDirectory /sftpusers/chroot/
   ForceCommand internal-sftp
   X11Forwarding no
   AllowTcpForwarding no

 

Save and exit the file. Restart sshd service to take effect the saved changes.

# systemctl restart sshd
OR
# service sshd restart

 

That’s it, you can check by logging into your remote SSH and SFTP server by using the step provided above at Verify SSH and SFTP login.

 

Be mindful that this method will disable the shell access, i.e you can’t access the remote system’s shell session using SSH. You can only access the remote systems via SFTP and do file transfer to and from the local and remote systems.

 

Conclusion

 

Now you know how to restrict users home directories using a Chroot environment in Linux. If you find this useful, share this article on your social networks and let us know in the comment section below if there is any other methods to restrict users home directories.

  • chroot Jail, Restrict SFTP Users to Home Directories Using chroot Jail
  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

How to upload a file using File Manager in cPanel

Sometimes it's necessary to upload files to your cPanel account. This can be easily accomplished...

How to configure custom name servers

If you have a reseller, you can set up and use custom name servers. For example, if your domain...

How to Create WHM Accounts/Master/Alpha in Zamfoo ??

1. Login to your WHM 2. Click on Add Package 3. Create a Package for Reseller/MasterReseller...

How to add a package in WHM?

How do I add, edit and delete packages in WHM? The following article explains how to add, edit...

How to Configure PayPal in WHMCS

Part 1: Initial Setup in WHMCS    Begin by going to Setup > Payment Gateways in WHMCS....