How to Restrict a User to Specific Directory on Linux – Google Cloud. It is necessary to limit user with specific privileges by restricting SSH or allow only to access specific directory.
This guide provides a detailed guide to restrict users to access only a specific directories by modifying the SSH configuration file. This is also known as a chroot jail setup.
This guide is tested on Google Cloud Platform running Ubuntu 20.04 Linux machine. This setup will surely work on AWS, Azure or any cloud or any VPS or dedicated servers running any Linux distributions.
- Root access to the server or user with sudo privileges
Create New Group
Create a new group to add all users inside this group.
sudo groupadd restriction
Create Users and Add to Group
Now you can create user or add the existing user to the new restriction group.
If you want to create a new user you ca follow this command.
sudo useradd -g restriction username
-g restrictionwill add the user to the restricted group we created above.
If you need to prevent shell access you need to use the
-s flag with
/bin/false value which prevents SFTP access. If SFTP is blocked you cannot access the server with SSH keys. In this case you need to setup FTP, to install and configure VSFTP you can follow this setup.
Now here we wont block shell access.
If you need to add the existing user to the group you can use this command.
sudo usermod -g restriction username
You can use the same command to create unlimited users.
Once the user is created and assigned to the group you can configure SSH to limit access to specific directory.
Open the SSH configuration file
sudo nano /etc/ssh/sshd_config
Go to the bottom of the file to find the line starting with
Subsystem sftp /usr/lib/openssh/sftp-server and replace it with the following.
Subsystem sftp internal-sftp
Finally add the below lines to bottom.
Match user username ChrootDirectory /path/to/folder ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding no
CTRL + X followed by
Enter to save and exit the file.
Now restart the SSH service to apply the changes.
sudo systemctl restart ssh
For CentOS or Fedora you can use the following command to restart the SSH service.
sudo systemctl restart sshd
Once SSH is restarted you can access your instance you will be allowed only to view the directory that you used.
Test the Setup
If you don’t have password based authentication enabled you can setup SFTP to access your instance or server and test your configuration using FileZilla or WinSCP or CyberDuck.
You you have your passwords setup you can use these commands to check.
Open a SFTP connection to your server with the
Enter the password you have setup before when prompted.
Now you will be logged in to the server and can see the
pwd command, if the configuration is working fine you will get the output as
Output sftp> pwd Remote working directory: /
Now you have learned how to restrict a user to specific directory in Linux.
Thanks for your time. If you face any problem or any feedback, please leave a comment below.