How to restrict server users to a specific directory in Linux

2 years ago 259

Need to fastener down that Linux server truthful definite distant users tin lone entree a circumstantial directory and lone for record upload and download purposes? Jack Wallen shows you how.

View of a Server country   information  halfway  - 3d rendering

Image: Production Perig/Shutterstock

When you person a server with SSH access, unless you've configured it otherwise, immoderate idiosyncratic with an relationship connected that strategy tin log successful and, if they person the permissions and skill, wreak havoc connected your server.

SEE: 40+ unfastened root and Linux presumption you request to cognize (TechRepublic Premium)

You don't privation that. 

What you tin bash is restrict those users with a chroot jail. By doing this you severely bounds what those users tin bash connected your system. In fact, immoderate idiosyncratic who is constricted to a chroot jailhouse can:

  1. Only entree the server via sftp
  2. Only entree a circumstantial directory

This is simply a large information summation to your Linux servers, and if you necessitate specified a usage case, see it a must-do. This is particularly important if you person a server that houses delicate information and you don't privation users adjacent viewing those files and folders.

This setup isn't each that challenging. In fact, the configuration is overmuch easier than uncovering ways to deploy the feature. But connected those occasions erstwhile you bash request to severely restrict what a idiosyncratic tin entree connected your Linux servers, this is 1 sure-fire mode of doing so.

What you'll request

To marque this work, you'll request a moving lawsuit of Linux and a idiosyncratic with sudo privileges. That's it. Let's marque immoderate information magic.

How to make a restricted radical and adhd users connected a Linux server

The archetypal happening we indispensable bash is make a caller radical and adhd users to it. Create the radical with:

sudo groupadd restricted

Next, adhd a idiosyncratic to the radical with the command:

sudo usermod -g restricted USERNAME

Where USERNAME is the idiosyncratic you privation to adhd to the restricted group.

SEE: Linux turns 30: Celebrating the unfastened root operating strategy (free PDF) (TechRepublic)

How to configure SSH

Open the SSH daemon configuration record with:

sudo nano /etc/ssh/sshd_config

Look for the enactment (near the bottom):

Subsystem sftp /usr/lib/openssh/sftp-server

Change that enactment to:

Subsystem sftp internal-sftp

At the bottommost of the file, adhd the following:

Match radical restricted ChrootDirectory /home/ ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding no

Save and adjacent the file. Restart SSH with:

sudo systemctl restart ssh

Now, spell backmost to different instrumentality and effort to SSH into the server with the user, specified as:

ssh olivia@192.168.1.147

You'll spot the warning:

This work allows sftp connections only. Connection to 192.168.1.147 closed.

In bid for immoderate idiosyncratic successful the restricted radical to log into the server, they indispensable usage sftp similar so:

sftp USERNAME@SERVER

Where USERNAME is the username and SERVER is the IP code oregon domain of the server. Once they successfully log in, they'll beryllium astatine the sftp punctual wherever they tin transportation files backmost and distant with the enactment and get commands. Those restricted users tin lone upload files to their location directories. When a restricted idiosyncratic initially logs in, they'll beryllium successful the /home directory. So, to successfully upload, they would person to alteration into their location directory with a bid like:

cd olivia

Once successful their location directory, they tin past contented a bid like:

put file1

As agelong arsenic that record is successful the existent moving directory of the instrumentality they logged into the server from, it'll upload conscionable fine. If those users lone request to download files to their section machine, they'd usage a bid like:

get file1

I recognize this is simply a precise limiting configuration with precise constricted usage cases, but astatine immoderate constituent successful your Linux admin career, you're going to tally into an lawsuit wherever you request to bounds users to logging into a chroot jail. This is 1 mode to bash it. 

Subscribe to TechRepublic's How To Make Tech Work connected YouTube for each the latest tech proposal for concern pros from Jack Wallen.

Cybersecurity Insider Newsletter

Strengthen your organization's IT information defenses by keeping abreast of the latest cybersecurity news, solutions, and champion practices. Delivered Tuesdays and Thursdays

Sign up today

Also spot

Read Entire Article