2

I was hoping someone could help me with this problem

"Trying to setup a SFTP user with limited access."

I'm running Ubuntu 16.04.2 x64 on a DigitalOcean server. I've posted this on the DigitalOcean forums too.

Current setup

  • I've setup my server using ServerPilot.
  • The system user is called serverpilot
  • serverpilot has root privileges,
  • The home folder is located at: /srv/users/serverpilot
  • The public folder is located at: /srv/users/serverpilot/apps/test-app/public/

What I want to do

I want to add a second user, but restrict what the user can do:

  • Only access a single folder called newsletters, it will be in the public folder.
  • The user needs to be able to upload, delete and rename files via SFTP
  • The user must not be able to navigate away from the newsletters, folder

This is the full path to the newsletters folder: /srv/users/serverpilot/apps/test-app/public/newsletters

What I've done so far

I've followed this guide How do I restrict a user to a specific directory? by Maxamilian Demian (@Maxoplata), there's a great reply by Jonathan Tittle (@jtittle).

However, I'm still having problems logging in via SFTP

I've listed out all the steps I've done - hopefully someone with more experience will be able to spot my error(s)!

1. Created a new user

  1. Logged in as root
  2. Created a new user called user-sftp-only
  3. adduser user-sftp-only
  4. I can check the user has been created by running
  5. compgen -u
  6. user-sftp-only is at the bottom of the list
  7. I can also see what the path of the user is and shell access by running:

  8. grep user-sftp-only /etc/passwd outputs:

    user-sftp-only:x:1004:1007:,,,:/home/user-sftp-only:/bin/bash

2. Give new user root privileges

  1. Give new user user-sftp-only root privileges
  2. gpasswd -a user-sftp-only sudo
  3. Logout as root

3. Create a new directory

  1. Logged in as user-sftp-only
  2. Create a new directory in public called newsletters:
  3. cd /srv/users/serverpilot/apps/test-app/public/
  4. Followed by:
  5. sudo mkdir newsletters

4. Check directory permissions

Still inside the public folder from the previous step, I run 

$ ls -al
drwxr-xr-x+ 3 serverpilot serverpilot 4096 Mar  7 15:26 .
drwxr-xr-x+ 3 serverpilot serverpilot 4096 Mar  3 16:22 ..
-rw-r--r--+ 1 serverpilot serverpilot 3393 Mar  3 16:22 index.php
drwxrwxr-x+ 2 root        root        4096 Mar  7 15:26 newsletters

From reading various DigitalOcean posts, I know I need to create a group and assign my new user user-sftp-only to that group, Then change root root to the name of my user and group.

5. Create a new group

  1. Logged in as user-sftp-only
  2. sudo groupadd group-sftp-only
  3. I can check the group has been created by running
  4. compgen -g
  5. group-sftp-only is at the bottom of the list

Note: I notice my new user called user-sftp-only is also in this list?

6. Add user to the group

  1. Logged in as root
  2. Added the user user-sftp-only to a group called group-sftp-only

  3. Doing this means it's no longer possible to SSH in as user user-sftp-only

    usermod -g group-sftp-only -d /srv/users/serverpilot/apps/test-app/public/newsletters -s /sbin/nologin user-sftp-only
    • -gspecifies the group name
    • -d specifies the users home directory
    • -s specifies shell access (/sbin/nologin means SSH is disabled for this user)

7. Verify the changes to the user

Logged in as root

$ grep user-sftp-only /etc/passwd
user-sftp-only:x:1001:1004:,,,:/srv/users/serverpilot/apps/test-app/public/newsletters:/sbin/nologin

8. Modify SSH Configuration to allow SFTP

  1. Logged in as root
  2. nano /etc/ssh/sshd_config
  3. Commented out this line:
  4. #Subsystem sftp /usr/lib/openssh/sftp-server -l INFO

  5. At the very bottom of sshd_config added this:

     Subsystem sftp internal-sftp
    Match group group-sftp-only
    ChrootDirectory %h
    ForceCommand internal-sftp

9. Restart SSH

  1. Still logged in as root
  2. service ssh restart

10. Modify permissions

  1. Still logged in as root
  2. This is the home directory for user user-sftp-only
  3. /srv/users/serverpilot/apps/test-app/public/newsletters

  4. Used this to make sure the home directory is owned by the user and group

    chown -R user-sftp-only:group-sftp-only /srv/users/serverpilot/apps/test-app/public/newsletters

11. Verify ownership change

Still logged in as root:

$ cd /srv/users/serverpilot/apps/test-app/public/`
$ ls -al
drwxr-xr-x+ 3 serverpilot    serverpilot     4096 Mar  7 15:26 .
drwxr-xr-x+ 3 serverpilot    serverpilot     4096 Mar  3 16:22 ..
-rw-r--r--+ 1 serverpilot    serverpilot     3393 Mar  3 16:22 index.php
drwxrwxr-x+ 2 user-sftp-only group-sftp-only 4096 Mar  7 15:26 newsletters

$ cd /srv/users/serverpilot/apps/test-app/public/newsletters
$ ls -al
drwxrwxr-x+ 2 user-sftp-only group-sftp-only 4096 Mar  7 15:26 .
drwxr-xr-x+ 3 serverpilot    serverpilot     4096 Mar  7 15:26 ..

That's where I'm up to. However, I can't login in as my new user user-sftp-only via SFTP

Zanna
  • 70,465
Stephen Meehan
  • 21

1 Answers1

1
tail -f /var/log/syslog

Try to sftp into user-sftp-only account Note success/failure info message

If failure, add the following line to /etc/ssh/sshd_config:

AllowUsers user-sftp-only

then run:

sudo service sshd restart
anonymous2
  • 4,298
jones0610
  • 2,157