How to restrict server users to a specific directory in Linux

Need to lock down this linux server so some remote users can only access a specific directory and only for file download purposes? Jack Wallen shows you how.

When you have a server with SSH access, unless you have configured it otherwise, any user with an account on that system can log in and, if they have the permissions and skills, wreak havoc on your system. server.

SEE: Over 40 Open Source and Linux Terms You Need To Know (TechRepublic Premium)

You don’t want that.

What you can do is restrict these users with a chroot jail. By doing this, you drastically limit what these users can do on your system. In fact, any user limited to a chroot jail can:

  1. Access the server only via sftp
  2. Access only a specific directory

It’s a great security addition to your Linux servers, and if you need such a use case, consider it a must-have. This is especially important if you have a server that hosts sensitive data and you don’t even want users to view those files and folders.

This setup is not that difficult. In fact, the configuration is much easier than finding ways to deploy the functionality. But in cases where you need to severely restrict a user’s access to your Linux servers, this is a surefire way to do it.

What you will need

For this to work you will need a running Linux instance and a user with sudo privileges. That’s it. Let’s do some security magic.

How to create a restricted group and add users on a Linux server

The first thing we need to do is create a new group and add users to it. Create the group with:

sudo groupadd restricted

Then add a user to the group with the command:

sudo usermod -g restricted USERNAME

Where USERNAME is the user you want to add to the restricted group.

SEE: Linux Turns 30: Celebrating the Open Source Operating System (Free PDF) (TechRepublic)

How to configure SSH

Open the SSH daemon configuration file with:

sudo nano /etc/ssh/sshd_config

Look for the line (near the bottom):

Subsystem sftp  /usr/lib/openssh/sftp-server

Replace this line with:

Subsystem sftp internal-sftp

At the bottom of the file, add the following:

Match group restricted
  ChrootDirectory /home/
  ForceCommand internal-sftp
  AllowTcpForwarding no
  X11Forwarding no

Save and close the file. Restart SSH with:

sudo systemctl restart ssh

Now go back to another machine and try to SSH connect to the server with the user, for example:

ssh [email protected]

You will see the warning:

This service allows sftp connections only.
Connection to 192.168.1.147 closed.

For a user in the restricted group to be able to connect to the server, they must use sftp as follows:

sftp [email protected]

Where USERNAME is the user name and SERVER is the IP address or domain of the server. Once they have successfully connected, they will be at the sftp prompt where they can transfer files back and forth with the put and get commands. These restricted users can only upload files to their home directories. When a restricted user initially logs in, they are in the / home directory. So, in order to successfully download, they would have to go to their home directory with a command like:

cd olivia

Once in their home directory, they can then issue a command like:

put file1

As long as this file is in the current working directory of the machine from which they connected to the server, it will download just fine. If these users only need to download files to their local computer, they will use a command like:

get file1

I realize this is a very limited setup with very limited use cases, but at some point in your Linux admin career you are going to come across an instance where you need to limit users to connect to a chroot jail. This is one way to do it.

Subscribe to How to Make TechRepublic Technology Work on YouTube for all the latest tech tips for professionals at Jack Wallen’s business.

Also look

View of a data center from the server room - 3D rendering

Image: Production Perig / Shutterstock

Comments are closed.