Google Cloud AWS

How to Restrict User to Specific Directory on Linux – Google Cloud

Disclosure: This post may contain affiliate links, which means we may receive a commission if you click a link and purchase something that we recommended.

Pinterest LinkedIn Tumblr

How to Restrict a User to Specific Directory on Linux – Google Cloud. It is necessary to limit user with specific privileges by restricting SSH or allow only to access specific directory.

This guide provides a detailed guide to restrict users to access only a specific directories by modifying the SSH configuration file. This is also known as a chroot jail setup.

This guide is tested on Google Cloud Platform running Ubuntu 20.04 Linux machine. This setup will surely work on AWS, Azure or any cloud or any VPS or dedicated servers running any Linux distributions.


  • Root access to the server or user with sudo privileges

Create New Group

Create a new group to add all users inside this group.

sudo groupadd restriction

Create Users and Add to Group

Now you can create user or add the existing user to the new restriction group.

If you want to create a new user you ca follow this command.

sudo useradd -g restriction username
  • -g restriction will add the user to the restricted group we created above.

If you need to prevent shell access you need to use the -s flag with /bin/false value which prevents SFTP access. If SFTP is blocked you cannot access the server with SSH keys. In this case you need to setup FTP, to install and configure VSFTP you can follow this setup.

Now here we wont block shell access.

If you need to add the existing user to the group you can use this command.

sudo usermod -g restriction username

You can use the same command to create unlimited users.

Configure SSH

Once the user is created and assigned to the group you can configure SSH to limit access to specific directory.

Open the SSH configuration file /etc/ssh/sshd_config

sudo nano /etc/ssh/sshd_config

Go to the bottom of the file  to find the line starting with Subsystem sftp /usr/lib/openssh/sftp-server and replace it with the following.

Subsystem sftp internal-sftp

Finally add the below lines to bottom.

Match user username
  ChrootDirectory /path/to/folder
  ForceCommand internal-sftp
  AllowTcpForwarding no
  X11Forwarding no

Hit CTRL + X followed by Y and Enter to save and exit the file.

Now restart the SSH service to apply the changes.

sudo systemctl restart ssh

For CentOS or Fedora you can use the following command to restart the SSH service.

sudo systemctl restart sshd

Once SSH is restarted you can access your instance you will be allowed only to view the directory that you used.

Test the Setup

If you don’t have password based authentication enabled you can setup SFTP to access your instance or server and test your configuration using FileZilla or WinSCP or CyberDuck.

You you have your passwords setup you can use these commands to check.

Open a SFTP connection to your server with the sftp command.

sftp username@IP_ADDRESS

Enter the password you have setup before when prompted.

Now you will be logged in to the server and can see the sftp> prompt.

Run the pwd command, if the configuration is working fine you will get the output as /.

Prepare yourself for a role working as an Information Technology Professional with Linux operating system

sftp> pwd
Remote working directory: /


Now you have learned how to restrict a user to specific directory in Linux.

Thanks for your time. If you face any problem or any feedback, please leave a comment below.

1 Comment

  1. Thanks for the great article and clear instructions. Upon complete, I tried to test the sftp and get this response:
    It does ask for my password, but then it disconnects me with this message:
    client_loop: send disconnect: Connection reset

    any idea what’s happening?

Write A Comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.