How to Setup SFTP Chroot Jail on Linux with Google Cloud Platform. Ever wonder how to lock down a user to their own home directory on your Ubuntu or CentOS servers.
By default a SFTP user can access all the folders in your server including other user’s directory also. No one wants the users to navigate around the server and view other users files.
In this tutorial you are going to learn how to setup SFTP Jail environment and lock down a user to their home directory. We will also restrict the access to SSH and allow SFTP only. This guide works on all Linux based distributions.
Prerequisites
- A running Compute Engine, see the Setting up Compute Engine Instance with Ubuntu 18.04
- Initial Ubuntu Server Set up.
Step 1: Create a new Chroot Group
Create a new group to add all the users to this chrooted group.
sudo groupadd jailgroup
Step 2: Add Users to the Chroot Group
Now create a user and add the user to the jailgroup
group.
sudo useradd -g jailgroup -s /bin/false -m -d /home/username username
-
-g jailgroup
will add the user to the restricted group we created above. -s /bin/false
will restrict he SSH access for the user.-d /home/username
will create a directory for the user in the/home
if you want to add the user who exists already you can just add the user to the group and restrict shell access.
sudo usermod -g jailgroup -s /bin/false username
Step 3: Setup password for the user
By default Google Cloud does not allows password based authentication. If you have allowed password auth to yes you can setup password for the user or you can setup SFTP to access your instance or server.
To setup password you can follow this.
sudo passwd username
Step 4: Setup Correct Permissions
Important: The users home directory must be owned by the root user and must have the 755 permission to prevent the users to create additional directories in their own home directory.
sudo chown root: /home/username sudo chmod 755 /home/username
Now you can create new directories inside the users home directory and setup full access to the respective users.
sudo mkdir /home/username/{public,logs} sudo chmod 755 /home/username/{public,logs} sudo chown username:jailgroup /home/username/{public,logs}
By default Apache or Nginx runs with the user www-data
, as these directories are owned by the respective user you need to configure PHP-FPM pools to run as the user owning the files.
Step 5: Configure SSH
Open the SSH configuration file /etc/ssh/sshd_config
sudo nano /etc/ssh/sshd_config
Go to the bottom of the file by pressing ALT + /
to find the line starting with Subsystem sftp /usr/lib/openssh/sftp-server
Replace it with the following.
Subsystem sftp internal-sftp
Finally to the bottom add these.
Match Group jailgroup ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding no
Hit CTRL + X
followed by Y
and Enter
to save and exit the file.
Now restart the SSH service to apply the changes.
sudo systemctl restart ssh
For CentOS or Fedora you can use the following command to restart the SSH service.
sudo systemctl restart sshd
Step 6: Test the Setup
If you dont have password based authentication enabled you can setup SFTP to access your instance or server and test your configuration using FileZilla or WinSCP or CyberDuck.
You you have your passwords setup you can use these commands to check.
Open a SFTP connection to your server with the sftp
command.
sftp username@IP_ADDRESS
Enter the password you have setup before when prompted.
Now you will be logged in to the server and can see the sftp>
prompt.
Run the pwd
command, if the configuration is working fine you will get the output as /
.
Output
sftp> pwd
Remote working directory: /
Run the ls
command to list all files and directories. You can see the directories we have created before.
Output
sftp> ls
public logs
Prepare yourself for a role working as an Information Technology Professional with Linux operating system
Conclusion
Now you have learned how to setup a chroot environment and restrict access to the user to their own home directory.
If you have any questions or feedback, please feel free to leave a comment below.