50
37
I installed SSH, but I found if I use my original account to login to Ubuntu, it has too many permissions.
I want to constrain the user to only have permissions for specific folders in Ubuntu. How can I configure such a user?
50
37
I installed SSH, but I found if I use my original account to login to Ubuntu, it has too many permissions.
I want to constrain the user to only have permissions for specific folders in Ubuntu. How can I configure such a user?
53
This is simple. Just create a new user with its home directory set to the one you need him to have access to (this command must be run under sudo
or in root shell):
adduser --home /restricted/directory restricted_user
This will create a user restricted_user
, the directory /restricted/directory
and then permissions on the directory will be set so the user can write to it. It won't have an ability to write to any other directory by default.
If you have the directory already, you can run adduser
command with a --no-create-home
option appended and set permissions manually (also with root privileges), like:
chown restricted_user:restricted_user /restricted/directory
chmod 755 /restricted/directory
If you need to make even world-writable directories unaccessible for this user, there are two variants.
1) If you want to provide an interactive shell session to the user, then consider following this manual on creating a chroot jail (in your /restricted/directory
).
After that, add the following to your sshd_config
:
Match user restricted_user
ChrootDirectory /restricted/directory
2) If you only need him to copy files between his endpoint of connection and your host, everything is much easier. Add these lines at the end of your sshd_config
:
Match user restricted_user
ForceCommand internal-sftp
ChrootDirectory /restricted/directory
Subsystem sftp internal-sftp
Then comment out the Subsystem sftp /usr/lib/openssh/sftp-server
by placing a hash (#
) sign at the start.
After restarting your SSH server (it does not kill interactive sessions on restart, so it is safe even if you misconfigured something; also, does not close your running session before you have checked that you are still able to log in), everything should work as intended.
5
The easiest way to create restricted user that cannot wander off the given directory (e.g., to the upper directory etc), and have a limited/picked set of command to use, is to use a Restricted Shell. Ref:
First, create a symlink called rbash
(run as root user).
ln -s /bin/bash /bin/rbash
Then just create a normal user with this Restricted Shell, and set it's home dir to the desired folder:
useradd -s /bin/rbash -d /home/restricted_folder username
Even without the Restricted Shell, if you explicitly do not add this user to sudoer's list, or any special groups, then it will be limited by default.
With the Restricted Shell, the following are disallowed or not performed:
changing directories with cd
setting or unsetting the values of SHELL, PATH, ENV, or BASH_ENV
specifying command names containing /
specifying a file name containing a / as an argument to the . builtin command
Specifying a filename containing a slash as an argument to the -p option to the hash builtin command
importing function definitions from the shell environment at startup
parsing the value of SHELLOPTS from the shell environment at startup
redirecting output using the >, >|, <>, >&, &>, and >> redirect- ion operators
using the exec builtin command to replace the shell with another command
adding or deleting builtin commands with the -f and -d options to the enable builtin command
Using the enable builtin command to enable disabled shell builtins
specifying the -p option to the command builtin command
turning off restricted mode with set +r or set +o restricted.
These restrictions are enforced after any startup files
Moreover/Optionally, to restrict the user to a limited/picked set of command to use, you can create a .bash_profile read-only to that user, with
PATH=$HOME/bin
and symlink whatever commands you allows into the ~/bin folder to that user:
ln -s /bin/ls /home/restricted_folder/bin/ls
ln -s /bin/mkdir /home/restricted_folder/bin/mkdir
ln -s /bin/rm /home/restricted_folder/bin/rm
etc.
HTH
i can find any file on the filesystem, including /root directory and i can read these files. Wondering how to further restrict access of seeing anything outside user folder or capturing any network packets or reading /var/log contents – 16851556 – 2019-08-14T15:47:19.530
I tried method 2, and got Write failed: Broken pipe when I try to log in. – rebellion – 2015-02-03T10:50:48.247
3You should write the
Subsystem sftp internal-sftp
line in your second example above theMatch
block. Otherwise ssh will print out an error and does not start. – Tik0 – 2015-03-13T10:53:01.1631I tried , but it seems that i can still cd .. and browse the upper directory. and when I use vi a.txt in the upper directory, it shows:press enter or command to continue, and i can not quit vi – Foolish – 2010-06-06T13:11:26.083
1Spoiler alert: does not work with scp – bicycle – 2017-08-07T19:22:54.690
Can that
/restricted/directory
be another a directory under another user's home directory? I have the root access of this machine. – Jason Goal – 2020-02-23T03:53:25.7931Can I use option #2 if the user should only have sshfs access? – flickerfly – 2013-09-30T18:51:42.397
1Everything works fine, except that I have no write permission. How can I set a write permission for this restricted directory. If I use chmod 775, the user can't login anymore. – My-Name-Is – 2013-12-12T23:29:53.360
@My-Name-Is you could create a subdirectory and set permissions as 775 on it – whitequark – 2013-12-14T11:51:47.943