Create an SSH user who only has permission to access specific folders

50

37

I installed SSH, but I found if I use my original account to login to Ubuntu, it has too many permissions.

I want to constrain the user to only have permissions for specific folders in Ubuntu. How can I configure such a user?

Foolish

Posted 2010-06-06T12:40:52.347

Reputation: 1 419

Answers

53

This is simple. Just create a new user with its home directory set to the one you need him to have access to (this command must be run under sudo or in root shell):

adduser --home /restricted/directory restricted_user

This will create a user restricted_user, the directory /restricted/directory and then permissions on the directory will be set so the user can write to it. It won't have an ability to write to any other directory by default.

If you have the directory already, you can run adduser command with a --no-create-home option appended and set permissions manually (also with root privileges), like:

chown restricted_user:restricted_user /restricted/directory
chmod 755 /restricted/directory

If you need to make even world-writable directories unaccessible for this user, there are two variants.

1) If you want to provide an interactive shell session to the user, then consider following this manual on creating a chroot jail (in your /restricted/directory).

After that, add the following to your sshd_config:

Match user restricted_user
  ChrootDirectory /restricted/directory

2) If you only need him to copy files between his endpoint of connection and your host, everything is much easier. Add these lines at the end of your sshd_config:

Match user restricted_user
  ForceCommand internal-sftp
  ChrootDirectory /restricted/directory

Subsystem       sftp    internal-sftp

Then comment out the Subsystem sftp /usr/lib/openssh/sftp-server by placing a hash (#) sign at the start.

After restarting your SSH server (it does not kill interactive sessions on restart, so it is safe even if you misconfigured something; also, does not close your running session before you have checked that you are still able to log in), everything should work as intended.

whitequark

Posted 2010-06-06T12:40:52.347

Reputation: 14 146

I tried method 2, and got Write failed: Broken pipe when I try to log in. – rebellion – 2015-02-03T10:50:48.247

3You should write the Subsystem sftp internal-sftp line in your second example above the Match block. Otherwise ssh will print out an error and does not start. – Tik0 – 2015-03-13T10:53:01.163

1I tried , but it seems that i can still cd .. and browse the upper directory. and when I use vi a.txt in the upper directory, it shows:press enter or command to continue, and i can not quit vi – Foolish – 2010-06-06T13:11:26.083

1Spoiler alert: does not work with scp – bicycle – 2017-08-07T19:22:54.690

Can that /restricted/directory be another a directory under another user's home directory? I have the root access of this machine. – Jason Goal – 2020-02-23T03:53:25.793

1Can I use option #2 if the user should only have sshfs access? – flickerfly – 2013-09-30T18:51:42.397

1Everything works fine, except that I have no write permission. How can I set a write permission for this restricted directory. If I use chmod 775, the user can't login anymore. – My-Name-Is – 2013-12-12T23:29:53.360

@My-Name-Is you could create a subdirectory and set permissions as 775 on it – whitequark – 2013-12-14T11:51:47.943

5

The easiest way to create restricted user that cannot wander off the given directory (e.g., to the upper directory etc), and have a limited/picked set of command to use, is to use a Restricted Shell. Ref:

http://man.he.net/man1/rbash

First, create a symlink called rbash (run as root user).

ln -s /bin/bash /bin/rbash

Then just create a normal user with this Restricted Shell, and set it's home dir to the desired folder:

useradd -s /bin/rbash -d /home/restricted_folder username

Even without the Restricted Shell, if you explicitly do not add this user to sudoer's list, or any special groups, then it will be limited by default.

With the Restricted Shell, the following are disallowed or not performed:

  • changing directories with cd

  • setting or unsetting the values of SHELL, PATH, ENV, or BASH_ENV

  • specifying command names containing /

  • specifying a file name containing a / as an argument to the . builtin command

  • Specifying a filename containing a slash as an argument to the -p option to the hash builtin command

  • importing function definitions from the shell environment at startup

  • parsing the value of SHELLOPTS from the shell environment at startup

  • redirecting output using the >, >|, <>, >&, &>, and >> redirect- ion operators

  • using the exec builtin command to replace the shell with another command

  • adding or deleting builtin commands with the -f and -d options to the enable builtin command

  • Using the enable builtin command to enable disabled shell builtins

  • specifying the -p option to the command builtin command

  • turning off restricted mode with set +r or set +o restricted.

These restrictions are enforced after any startup files

Moreover/Optionally, to restrict the user to a limited/picked set of command to use, you can create a .bash_profile read-only to that user, with

PATH=$HOME/bin

and symlink whatever commands you allows into the ~/bin folder to that user:

ln -s /bin/ls /home/restricted_folder/bin/ls
ln -s /bin/mkdir /home/restricted_folder/bin/mkdir
ln -s /bin/rm /home/restricted_folder/bin/rm

etc.

HTH

xpt

Posted 2010-06-06T12:40:52.347

Reputation: 5 548

i can find any file on the filesystem, including /root directory and i can read these files. Wondering how to further restrict access of seeing anything outside user folder or capturing any network packets or reading /var/log contents – 16851556 – 2019-08-14T15:47:19.530