Limiting SFTP Users While Not Limiting Regular Users?

Emancipator · March 24, 2009, 4:13pm

Hi,

I have searched the web and have come back with nothing that is satisfactory for what I require. SFTP is my corporations new file transfer standard. What I require is a method to lock down SFTP users to their directory (they may go to sub directories) while not restricting regular users.

We setup a CHROOTed user in OpenSSH but it requires that the write option be disabled (for world and group) in all the parent directories of where we would like the SFTP user home directory to be. We tried to hard link the user directory to the location but it still requires write be disabled (for world and group) in the parent directories of the directory that is linked. An easy alternative would be to disable the CD command but once again I have not found a method to do so. Any ideas are greatly appreciated!

Thanks ahead of time!

jim_mcnamara · March 24, 2009, 4:39pm

A more or less standard method is to chroot those users to their home directory - which is usually not part of the regular users directory tree.

see:
best practices for chroot

Best Practices for UNIX chroot() Operations
script for a chroot jail:
fuschlberger.net - Howto Setup a chroot-jail for ssh/scp with Linux

ssh is the protocol for sftp and friends. sftp, sshd, ssh and scp are all part of the same thing.

TonyFullerMalv · March 24, 2009, 4:42pm

This article: Linux Configure rssh Chroot Jail To Lock Users To Their Home Directories Only
and its parent article: How to: Configure User Account to Use a Restricted Shell ( rssh ) look promising, hth.