Chrooted users for SFTP

FTP access is being used less and more SFTP access for simple security reasons. But users of the default system have access to see everything.

This is why it can be interesting to have users who are limited only to certain folders. For example, if you have multiple websites of multiple users and you don’t want one user to be able to see each other’s data.

This tutorial has been created on a VPS. You can create your own VPS from 3€/month.

In addition, you have the possibility to create your VPS with the WordPress image in one click.


Limit SSH access

The first thing we will do is limit users’ access to the corresponding folders. We’re going to put them all together in the group sftp.

addgroup sftp

Once the group is created, we will make changes to the SSH server.

We will edit the configuration file:

vim /etc/ssh/sshd_config

We will look for the following code:

Subsystem sftp /usr/lib/openssh/sftp-server

And we will replace it with:

Subsystem sftp internal-sftp

Later we will add a series of rules for the users of this group:

Match Group sftp
  ChrootDirectory %h
  ForceCommand internal-sftp
  AllowTCPForwarding no
  PasswordAuthentication yes

Once we finish, we will restart the service and validate that it works.

systemctl restart sshd
systemctl status sshd

Copying the system

Since we’re only going to let users access a limited number of folders, we also need some programs to work. That is why we must create a structure copied from the system.

In this example we are going to create a folder to host everything in /webs/.

mkdir -p /webs/

We will validate that there are a number of real folders (not the symbolic ones).

ls -l /dev/{null,zero,stdin,stdout,stderr,random,tty}

that will return something similar to this:

crw-rw-rw- 1 root root 1, 3 jun 25 14:47 /dev/null
crw-rw-rw- 1 root root 1, 8 jun 25 14:47 /dev/random
lrwxrwxrwx 1 root root   15 jun 25 14:47 /dev/stderr -> /proc/self/fd/2
lrwxrwxrwx 1 root root   15 jun 25 14:47 /dev/stdin -> /proc/self/fd/0
lrwxrwxrwx 1 root root   15 jun 25 14:47 /dev/stdout -> /proc/self/fd/1
crw-rw-rw- 1 root tty  5, 0 jun 25 14:47 /dev/tty
crw-rw-rw- 1 root root 1, 5 jun 25 14:47 /dev/zero

We will copy some of the folders to our new root place.

mkdir -p /webs/dev/
mknod -m 666 /webs/dev/null c 1 3
mknod -m 666 /webs/dev/random c 1 8
mknod -m 666 /webs/dev/tty c 5 0
mknod -m 666 /webs/dev/zero c 1 5

We will limit access to this folder to root only and validate it. It is important that the full permissions are only to the owner and not to the group, so we will use 0755.

chown root: /webs
chmod 0755 /webs
ls -ld /webs

We will copy the Bash.

mkdir -p /webs/bin
cp -v /bin/bash /webs/bin

We will have to copy some libraries. First we will create the folder structure.

mkdir -p /webs/lib/
mkdir -p /webs/lib64/
mkdir -p /webs/lib/x86_64-linux-gnu/

And we will validate that there are a number of files.

ll /lib/x86_64-linux-gnu/{*,*,*,*}
ldd /bin/bash

We will copy the corresponding files.

cp -v /lib/x86_64-linux-gnu/{*,*,*} /webs/lib/
cp -v /lib64/* /webs/lib64/
cp -va /lib/x86_64-linux-gnu/libnss_files* /webs/lib/x86_64-linux-gnu/

Finally, we will make a copy of the user permissions.

mkdir -p /webs/etc/
cp -vf /etc/{passwd,group} /webs/etc/

With this we will have everything necessary so that users can connect by SFTP and interact with the upload and download of files.

Creating a user

The users will be created so that they only have access to this folder /webs/ that we have created and that they belong to the group sftp.

useradd usuarioejemplo -m -d /webs/usuarioejemplo -G sftp

We can validate that you are in your group and in the sftp.

groups usuarioejemplo

That will give us back something like:

usuarioejemplo : usuarioejemplo sftp

The next thing will be to remove the access permissions by SSH, since if they access by SSH they would have the possibility to execute or access anywhere,

usermod -s /bin/false usuarioejemplo

And finally we will give a password to the user.

passwd usuarioejemplo

Now we will make sure that the proprietary folder of that user is rooted and that he cannot access.

chown root: /webs/usuarioejemplo
chmod 0755 /webs/usuarioejemplo

And, since we have changed the permissions, groups and so on, we will make a new copy of the accesses.

cp -vf /etc/{passwd,group} /webs/etc/

Accessing by SFTP

At this time, users will be able to access the server by SFTP, in the same way as they would by FTP. By default the FTP port is 21, and the SFTP port is 22.

Creating a website

From this moment we could create folders for different websites. If you are responsible for the system, you can create a site for the user.

First we would create the folder

mkdir /webs/usuarioejemplo/

And finally we make sure you have your permissions.

chown usuarioejemplo: /webs/usuarioejemplo/

At this time the user could already manage all its contents by SFTP.

About this document

This document is regulated by the EUPL v1.2 license, published in WP SysAdmin and created by Javier Casares. Please, if you use this content in your website, your presentation or any material you distribute, remember to mention this site or its author, and having to put the material you create under EUPL license.