AWS Google Cloud

How to Restrict User to Specific Directory on Linux – Google Cloud

How to Restrict a User to Specific Directory on Linux – Google Cloud. It is necessary to limit user with specific privileges by restricting SSH or allow only to access specific directory.

This guide provides a detailed guide to restrict users to access only a specific directories by modifying the SSH configuration file. This is also known as a chroot jail setup.

This guide is tested on Google Cloud Platform running Ubuntu 20.04 Linux machine. This setup will surely work on AWS, Azure or any cloud or any VPS or dedicated servers running any Linux distributions.

Choose Best Hosting for your Business

PlatformReviewsPricing
Siteground★★★★★$3.95
Kinsta – Google Cloud★★★★★$30

Prerequisites

  • Root access to the server or user with sudo privileges

Create New Group

Create a new group to add all users inside this group.

sudo groupadd restriction

Create Users and Add to Group

Now you can create user or add the existing user to the new restriction group.

If you want to create a new user you ca follow this command.

sudo useradd -g restriction username
  • -g restriction will add the user to the restricted group we created above.

If you need to prevent shell access you need to use the -s flag with /bin/false value which prevents SFTP access. If SFTP is blocked you cannot access the server with SSH keys. In this case you need to setup FTP, to install and configure VSFTP you can follow this setup.

Now here we wont block shell access.

If you need to add the existing user to the group you can use this command.

sudo usermod -g restriction username

You can use the same command to create unlimited users.

Configure SSH

Once the user is created and assigned to the group you can configure SSH to limit access to specific directory.

Open the SSH configuration file /etc/ssh/sshd_config

sudo nano /etc/ssh/sshd_config

Go to the bottom of the file  to find the line starting with Subsystem sftp /usr/lib/openssh/sftp-server and replace it with the following.

Subsystem sftp internal-sftp

Finally add the below lines to bottom.

Match user username
  ChrootDirectory /path/to/folder
  ForceCommand internal-sftp
  AllowTcpForwarding no
  X11Forwarding no

Hit CTRL + X followed by Y and Enter to save and exit the file.

Now restart the SSH service to apply the changes.

sudo systemctl restart ssh

For CentOS or Fedora you can use the following command to restart the SSH service.

sudo systemctl restart sshd

Once SSH is restarted you can access your instance you will be allowed only to view the directory that you used.

Test the Setup

If you don’t have password based authentication enabled you can setup SFTP to access your instance or server and test your configuration using FileZilla or WinSCP or CyberDuck.

You you have your passwords setup you can use these commands to check.

Open a SFTP connection to your server with the sftp command.

sftp username@IP_ADDRESS

Enter the password you have setup before when prompted.

Now you will be logged in to the server and can see the sftp> prompt.

Run the pwd command, if the configuration is working fine you will get the output as /.

Become a Linux System Administrator and maintain virtual servers in a multi-user environment.

Output
sftp> pwd
Remote working directory: /

Conclusion

Now you have learned how to restrict a user to specific directory in Linux.

Thanks for your time. If you face any problem or any feedback, please leave a comment below.

Cloudbooklet builds a large collection of Linux based guides and tutorials on Cloud platforms like Google Cloud, AWS, Azure, DigitalOcean and more

Write A Comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

If you find this helpful? Support me!
Buy me a coffee Donation Please buy me a coffee