Linux Shell to Restrict Sftp Users to Their Home Directories

Linux shell to restrict sftp users to their home directories?

OpenSSH≥4.8 supports a ChrootDirectory directive.

Add to /etc/sshd_config or /etc/ssh/sshd_config or whatever your setup's global sshd config file is:


Match user ben_files
        # The following two directives force ben_files to become chrooted
        # and only have sftp available.  No other chroot setup is required.
        ChrootDirectory /var/www/vhosts/mydomain.example/files
        ForceCommand internal-sftp
        # For additional paranoia, disallow all types of port forwardings.
        AllowTcpForwarding no
        GatewayPorts no
        X11Forwarding no

Give user SFTP access to specific folder only - Ubuntu 14.04

To restrict access to a specific directory you can use the ChrootDirectory directive. See this question for more information.

Your second question (allowing SFTP but disabling SSH access) has been answered here.

Restrict user access on linux

chrooted jail is the answer.
Like: https://www.howtoforge.com/chrooted-ssh-sftp-tutorial-debian-lenny

Is it possible to restirct an ssh key to specific directories

It's possible, but it's sort of a hack. The much preferred, simpler way is just to only grant that user permissions to certain files and directories.

Access to SFTP bin/bash

Well, I have no clue about plesk, but sftp uses ssh to tunnel the communication between client and server. Therefore, the user can access your server with ssh, and get a full fledged shell to do nasty stuff. If you don't pay attention he can read other users homes, or read your server's configs.

Unless you chrooted the user, and took further care about hdd, cpu, mem, ... limits, you should not allow access to your server to a potentially untrustworthy user via ssh.

To my knowledge, there is no way to allow sftp/scp without complete ssh access.

How do a restrict create file in directory while allowing delete file

It seems you cannot do this with file system permissions alone.

As described here, creating or deleting a file is actually a modification of the directory that contains the file. For that, the user needs to have a "w" permission to this directory. But at the same time, your requirements contradict each other - the user can either both create and delete files, or none of the above.

Apparently you need some kind of an additional authorization mechanism (maybe some web service, or a remotely callable script) to delete or upload the files, and then apply the authorizations there.

Edit:
For instance, you could create a REST webservice running with a separate user account that has "w" permission to the directory. You need to perform very strict checking of the passed arguments and authenticate the users, otherwise a hacker could wreck your system.


Related Topics

Need Explanations for Linux Bash Builtin Exec Command Behavior

Execute a Shell Script Everyday at Specific Time

How Is It Possible That Kill -9 for a Process on Linux Has No Effect

Get First Line of a Shell Command's Output

Split Output of Command by Columns Using Bash

How to Install SQL * Plus Client in Linux

Shell Script Current Directory

How to Break Up an Extremely Long String Literal in Bash

How Does Ngrok Work Behind a Firewall

Limit the Memory and CPU Available for a User in Linux

How to Display Modified Date Time with 'Find' Command

Grep Recursively for a Specific File Type on Linux

How to Get Perf to Find Symbols in My Program

Linux-Shell: Renaming Files to Creation Time

What Is /Bin/Sh -C

Gzip with All Cores

Linux Commands to Copy One File to Many Files

Segfault with Rip-Relative Addressing on Linux


Leave a reply



Submit