0

I'm working on a solution to restrict the user to the home directory or a specific directory.

I need to restrict a user for below scenario, we have multiple Wordpress installation in webroot /var/www/html/wordpress1 and /var/www/html/wordpress2, I need to create a user and set a new user home directory as /var/www/html/wordpress2/wp-content and when this new user connected with a password using WinSCP, the user should be able to access only /var/www/html/wordpress2/wp-content and user cannot go out of the directory.

I have followed the below steps to create a user and group and set user home directory and changed sshd_config but when a user connects to the server using Winscp, user still able to access any directory on the server.

useradd -g sftpgroup -d /var/www/html/wordpress2/wp-content sftpuser1
sudo passwd sftpuser1

Modified the /etc/ssh/sshd_config

Subsystem sftp internal-sftp
   Match Group sftpgroup
   ChrootDirectory /home
   ForceCommand internal-sftp
   X11Forwarding no
   AllowTcpForwarding no

After the configuration, still a new user able to see all the other folders on the server.

Hope this diagram helps to understand my problem enter image description here

Can someone please help me with some solution

KNCK
  • 1
  • 2

1 Answers1

0

If you chroot the users to /home and all users have their homes as subfolders of /home, then indeed the users can see all homes.

You probably wanted: 

ChrootDirectory /home/%u

Or even better:

ChrootDirectory %h

See ChrootDirectory documentation and the list of supported tokens.

Side note: You have your directives indented under Subsystem, what gives an impression as if they should be used for SFTP only. They won't, they are global. Actually an indentation has no meaning in sshd_config. All that matters is if some Match directives are before the directive. For that reason the directives are commonly indented after the Match. But that's just for human use, the SSH server does not care.

Subsystem sftp internal-sftp

Match Group sftpgroup
   ChrootDirectory %h
   ForceCommand internal-sftp
   X11Forwarding no
   AllowTcpForwarding no
Martin Prikryl
  • 7,327
  • 2
  • 36
  • 71
  • If I configure the ChrootDirectory to `%h` then sftpuser1 was not able to connect to to the server using WinSCP and when I check the logs I see BROKE-PIPE error and also I want to set sftpuser1 user home directory as `/var/www/html/wordpress2/wp-content` Can you please help me on this – KNCK May 07 '20 at 13:45