How to Restrict a User to Specific Directory on Linux – Google Cloud. It is necessary to limit user with specific privileges by restricting SSH or allow only to access specific directory.
This guide provides a detailed guide to restrict users to access only a specific directories by modifying the SSH configuration file. This is also known as a chroot jail setup.
This guide is tested on Google Cloud Platform running Ubuntu 20.04 Linux machine. This setup will surely work on AWS, Azure or any cloud or any VPS or dedicated servers running any Linux distributions.
Prerequisites
- Root access to the server or user with sudo privileges
Create New Group
Create a new group to add all users inside this group.
sudo groupadd restriction
Create Users and Add to Group
Now you can create user or add the existing user to the new restriction group.
If you want to create a new user you ca follow this command.
sudo useradd -g restriction username
-g restrictionwill add the user to the restricted group we created above.
If you need to prevent shell access you need to use the -s flag with /bin/false value which prevents SFTP access. If SFTP is blocked you cannot access the server with SSH keys. In this case you need to setup FTP, to install and configure VSFTP you can follow this setup.
Now here we wont block shell access.
If you need to add the existing user to the group you can use this command.
sudo usermod -g restriction username
You can use the same command to create unlimited users.
Configure SSH
Once the user is created and assigned to the group you can configure SSH to limit access to specific directory.
Open the SSH configuration file /etc/ssh/sshd_config
sudo nano /etc/ssh/sshd_config
Go to the bottom of the file to find the line starting with Subsystem sftp /usr/lib/openssh/sftp-server and replace it with the following.
Subsystem sftp internal-sftp
Finally add the below lines to bottom.
Match user username
ChrootDirectory /path/to/folder
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
Hit CTRL + X followed by Y and Enter to save and exit the file.
Now restart the SSH service to apply the changes.
sudo systemctl restart ssh
For CentOS or Fedora you can use the following command to restart the SSH service.
sudo systemctl restart sshd
Once SSH is restarted you can access your instance you will be allowed only to view the directory that you used.
Test the Setup
If you don’t have password based authentication enabled you can setup SFTP to access your instance or server and test your configuration using FileZilla or WinSCP or CyberDuck.
You you have your passwords setup you can use these commands to check.
Open a SFTP connection to your server with the sftp command.
sftp username@IP_ADDRESS
Enter the password you have setup before when prompted.
Now you will be logged in to the server and can see the sftp> prompt.
Run the pwd command, if the configuration is working fine you will get the output as /.
Prepare yourself for a role working as an Information Technology Professional with Linux operating system
Output
sftp> pwd
Remote working directory: /
Conclusion
Now you have learned how to restrict a user to specific directory in Linux.
Thanks for your time. If you face any problem or any feedback, please leave a comment below.
1 Comment
Thanks for the great article and clear instructions. Upon complete, I tried to test the sftp and get this response:
It does ask for my password, but then it disconnects me with this message:
client_loop: send disconnect: Connection reset
any idea what’s happening?