Restrict SFTP User to their Sites Directory (not just their Home Directory)
If you want to give your web hosting clients SFTP access to specific directories (probably their sites, right?) while keeping them chrooted (jailed) into their home directory, then read on.
The idea here is simple: we want to give our clients SFTP access to our server
and then only allow them to access their individual sites. In this article,
we're going to setup a sample user jesse
with a jailed SFTP account. This
means that this new user "jesse" will only be able to access his home directory.
But wait! We don't want to restrict the user to their home directory; since they're web hosting clients, they need to be able to access their web directories, right? So instead of chrooting them to their home directories, shouldn't we be chrooting them to their site directories?
Not necessarily. The idea here is that we will have new users setup on our Linux
server with their /home/user
directories because it separates their access
point from the web root. Then, we'll mount
their specific web directories to
their home account so that they can edit only their sites located on our system.
This assumes a few things:
- You have users who have either one site or multiple sites,
- You don't mind customizing your hosting directory a little bit,
- You're comfortable with the command line.
If the last point is what's stopping you, then grab those bootstraps and dig in. There's nothing like getting your feet wet the hard way!
Step 1: Tell the server to jail SFTP users. #
The first thing we'll do is setup your server to allow for SFTP. Run the following command and see what the output is:
sudo service ssh status
You should see something like
<span class="lang:default decode:true crayon-inline ">ssh start/running, process 1234
,
but if you get something else that says SSH is not installed, then you need to
go ahead and install OpenSSH by running the following command:
sudo apt-get install ssh
Once you have SSH installed and running, make sure you rerun the previous command (service ssh status) to ensure you're up and ready to go.
The default SSH server settings don't discriminate between web hosting clients and your admin/root account(s), so if you were to create a new user right now and have them login to your server via SFTP, they would be able to backup out of their home directory and snoop around your file system. They wont have permissions to do anything, of course, but the idea of having a web client snooping around my servers rather unsettling (wouldn't you agree?)
To jail our SFTP users to their home directory, we're going to do something
called Chroot'ing. Technically, we aren't going to use the chroot
command at
all; chroot is a way to define the root folder of the system so we can mount
and run from different disks. Not exactly what we're trying to accomplish,
right? Well, in a way, we actually are changing the root system for each
of our SFTP users by restricting them to their home directories. Now, their
root
directory is not the server root, but instead, is /home/%username%
. So
we use chroot here not as a verb to describe what's happening. (This should
help to clarify what a lot of other tutorials around the internet fail to
disclose).
We'll jail all server users by editing our ssh config file and adding a new block of text at the very end. First, let's open up our SSH configuration file:
sudo nano /etc/ssh/sshd_config
Once it's open, we need to scroll all the way to the bottom of the file. You can do this very quickly in nano by holding down ctrl and pressing ‘v', which is the command for "page down" in nano. (See? You learn something new everyday.)
At the bottom, we'll add the following to the file:
# New rules for group 'jailedsftp'
Match group jailedsftp
# Change the root of each user to their home directory
ChrootDirectory /home/%u
AllowTcpForwarding no
ForceCommand internal-sftp
What this does is tell our ssh to match the above rules to the usergroup
jailedsftp
, the main rule being to change the root directory of our users in
this group to /home/<their user name>
.
Save this file: press Ctrl+x, then press 'y', then press 'enter.'
Now let's create the group we'll use to jail all these user accounts.
If you just have a few users that you're trying to jail, then using the
group method might be a bit cumbersome. You can also set the rules to
Match user jesse
and setup the permissions that way (this also allows you to
manually set a directory, but will take manually editing this file every time
you want to add a new user like that).
Step 2: Create a new SFTP user. #
Simple: Create a new user in group jailedsftp
.
Step 3: Test the new user (can you snoop around?) #
Login via the user and run a cd ..
command. From there, run dir
. Can you see
anything above the parent directory? No? Then you're all set!