Google Cloud Compute Engine

How to Setup SFTP Chroot Jail on Linux – Google Cloud

Disclosure: This post may contain affiliate links, which means we may receive a commission if you click a link and purchase something that we recommended.

Pinterest LinkedIn Tumblr

How to Setup SFTP Chroot Jail on Linux with Google Cloud Platform. Ever wonder how to lock down a user to their own home directory on your Ubuntu or CentOS servers.

By default a SFTP user can access all the folders in your server including other user’s directory also. No one wants the users to navigate around the server and view other users files.

In this tutorial you are going to learn how to setup SFTP Jail environment and lock down a user to their home directory. We will also restrict the access to SSH and allow SFTP only. This guide works on all Linux based distributions.


Step 1: Create a new Chroot Group

Create a new group to add all the users to this chrooted group.

sudo groupadd jailgroup

Step 2: Add Users to the Chroot Group

Now create a user and add the user to the jailgroup group.

sudo useradd -g jailgroup -s /bin/false -m -d /home/username username
  • -g jailgroup will add the user to the restricted group we created above.
  • -s /bin/false will restrict he SSH access for the user.
  • -d /home/username will create a directory for the user in the /home

if you want to add the user who exists already you can just add the user to the group and restrict shell access.

sudo usermod -g jailgroup -s /bin/false username

Step 3: Setup password for the user

By default Google Cloud does not allows password based authentication. If you have allowed password auth to yes you can setup password for the user or you can setup SFTP to access your instance or server.

To setup password you can follow this.

sudo passwd username

Step 4: Setup Correct Permissions

Important: The users home directory must be owned by the root user and must have the 755 permission to prevent the users to create additional directories in their own home directory.

sudo chown root: /home/username
sudo chmod 755 /home/username

Now you can create new directories inside the users home directory and setup full access to the respective users.

sudo mkdir /home/username/{public,logs}
sudo chmod 755 /home/username/{public,logs}
sudo chown username:jailgroup /home/username/{public,logs}

By default Apache or Nginx runs with the user www-data, as these directories are owned by the respective user you need to configure PHP-FPM pools to run as the user owning the files.

Step 5: Configure SSH

Open the SSH configuration file /etc/ssh/sshd_config

sudo nano /etc/ssh/sshd_config

Go to the bottom of the file by pressing ALT + / to find the line starting with Subsystem sftp /usr/lib/openssh/sftp-server

Replace it with the following.

Subsystem sftp internal-sftp

Finally to the bottom add these.

Match Group jailgroup
  ChrootDirectory %h
  ForceCommand internal-sftp
  AllowTcpForwarding no
  X11Forwarding no

Hit CTRL + X followed by Y and Enter to save and exit the file.

Now restart the SSH service to apply the changes.

sudo systemctl restart ssh

For CentOS or Fedora you can use the following command to restart the SSH service.

sudo systemctl restart sshd

Step 6: Test the Setup

If you dont have password based authentication enabled you can setup SFTP to access your instance or server and test your configuration using FileZilla or WinSCP or CyberDuck.

You you have your passwords setup you can use these commands to check.

Open a SFTP connection to your server with the sftp command.

sftp username@IP_ADDRESS

Enter the password you have setup before when prompted.

Now you will be logged in to the server and can see the sftp> prompt.

Run the pwd command, if the configuration is working fine you will get the output as /.

sftp> pwd
Remote working directory: /

Run the ls command to list all files and directories. You can see the directories we have created before.

sftp> ls
public  logs

Prepare yourself for a role working as an Information Technology Professional with Linux operating system


Now you have learned how to setup a chroot environment and restrict access to the user to their own home directory.

If you have any questions or feedback, please feel free to leave a comment below.

Write A Comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.