How to restrict server users to a specific directory in Linux

Image: Production Perig/Shutterstock

When you person a server with SSH access, unless you've configured it otherwise, immoderate idiosyncratic with an relationship connected that strategy tin log successful and, if they person the permissions and skill, wreak havoc connected your server.

SEE: 40+ unfastened root and Linux presumption you request to cognize (TechRepublic Premium)

You don't privation that. 

What you tin bash is restrict those users with a chroot jail. By doing this you severely bounds what those users tin bash connected your system. In fact, immoderate idiosyncratic who is constricted to a chroot jailhouse can:

1. Only entree the server via sftp
2. Only entree a circumstantial directory

This is simply a large information summation to your Linux servers, and if you necessitate specified a usage case, see it a must-do. This is particularly important if you person a server that houses delicate information and you don't privation users adjacent viewing those files and folders.

This setup isn't each that challenging. In fact, the configuration is overmuch easier than uncovering ways to deploy the feature. But connected those occasions erstwhile you bash request to severely restrict what a idiosyncratic tin entree connected your Linux servers, this is 1 sure-fire mode of doing so.

What you'll request

To marque this work, you'll request a moving lawsuit of Linux and a idiosyncratic with sudo privileges. That's it. Let's marque immoderate information magic.

How to make a restricted radical and adhd users connected a Linux server

The archetypal happening we indispensable bash is make a caller radical and adhd users to it. Create the radical with:

sudo groupadd restricted

Next, adhd a idiosyncratic to the radical with the command:

sudo usermod -g restricted USERNAME

Where USERNAME is the idiosyncratic you privation to adhd to the restricted group.

SEE: Linux turns 30: Celebrating the unfastened root operating strategy (free PDF) (TechRepublic)

How to configure SSH

Open the SSH daemon configuration record with:

sudo nano /etc/ssh/sshd_config

Look for the enactment (near the bottom):

Subsystem sftp /usr/lib/openssh/sftp-server

Change that enactment to:

Subsystem sftp internal-sftp

At the bottommost of the file, adhd the following:

Match radical restricted ChrootDirectory /home/ ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding no

Save and adjacent the file. Restart SSH with:

sudo systemctl restart ssh

Now, spell backmost to different instrumentality and effort to SSH into the server with the user, specified as:

ssh olivia@192.168.1.147

You'll spot the warning:

This work allows sftp connections only. Connection to 192.168.1.147 closed.

In bid for immoderate idiosyncratic successful the restricted radical to log into the server, they indispensable usage sftp similar so:

sftp USERNAME@SERVER

Where USERNAME is the username and SERVER is the IP code oregon domain of the server. Once they successfully log in, they'll beryllium astatine the sftp punctual wherever they tin transportation files backmost and distant with the enactment and get commands. Those restricted users tin lone upload files to their location directories. When a restricted idiosyncratic initially logs in, they'll beryllium successful the /home directory. So, to successfully upload, they would person to alteration into their location directory with a bid like:

cd olivia

Once successful their location directory, they tin past contented a bid like:

put file1

As agelong arsenic that record is successful the existent moving directory of the instrumentality they logged into the server from, it'll upload conscionable fine. If those users lone request to download files to their section machine, they'd usage a bid like:

get file1

I recognize this is simply a precise limiting configuration with precise constricted usage cases, but astatine immoderate constituent successful your Linux admin career, you're going to tally into an lawsuit wherever you request to bounds users to logging into a chroot jail. This is 1 mode to bash it. 

Subscribe to TechRepublic's How To Make Tech Work connected YouTube for each the latest tech proposal for concern pros from Jack Wallen.

Also spot

• 9 web commands each Linux admin should know (TechRepublic)
• How to usage CyberPanel to easy negociate Docker images and containers (TechRepublic)
• How to go a cybersecurity pro: A cheat sheet (TechRepublic)
• NIST Cybersecurity Framework: A cheat expanse for professionals (free PDF) (TechRepublic)
• What are mobile VPN apps and wherefore you should beryllium utilizing them (TechRepublic Premium)
• Cybersecurity and cyberwar: More must-read coverage (TechRepublic connected Flipboard)