Can I create an SSH user which can access only certain directory?

45

23

I have a Virtual Private Server which I can connect to using SSH with my root account, being able to execute any linux command and access all the disk area, obviously.

I would like to create another user account, which would be able to access this server using SSH too, but only to a certain directory, for example /var/www/example.com/

For example, imagine this user has a HUGE error.log file (500 MB) located in /var/www/example.com/logs/error.log When accessing this file using FTP, this user needs to download 500 MB to view the last lines of the log, but I'd like him to be able to execute something like this:

tail error.log

Therefore I need him to be able to access the server using SSH, but I don't want to grant him access to all server areas.

How can I do this?

Richard Rodriguez

Posted 2011-06-18T22:06:14.593

Reputation: 1 676

Answers

29

chroot the user.


Update:

The TechRepublic article by Vincent Danen says:

With the release of OpenSSH 4.9p1, you no longer have to rely on third-party hacks or complicated chroot setups to confine users to their home directories or give them access to SFTP services.

edit /etc/ssh/sshd_config (/etc/sshd_config on some distributions) and set the following options:

Subsystem     sftp   internal-sftp
Match Group sftp
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTcpForwarding no

Ensure the “Match” directive is at the end of the file. This tells OpenSSH that all users in the sftp group are to be chrooted to their home directory (which %h represents in the ChrootDirectory command

For any users that you wish to chroot, add them to the sftp group by using:

# usermod -G sftp joe
# usermod -s /bin/false joe
# chown root:root /home/joe
# chmod 0755 /home/joe

The usermod command above will add user joe to the sftp group and set their shell to /bin/false so they absolutely cannot ever get shell access. The chown and chmod commands will set the required permissions for the directory. With these permissions set, the user will be allowed to upload and download files, but cannot create directories or files in the root directory

Chrooting shell accounts is a little more complicated as it requires that certain device files and a shell be available in the user’s home directory. The following commands will set up a very basic chroot system on Mandriva Linux:

# mkdir /chroot
# cd /chroot
# mkdir {bin,dev,lib}
# cp -p /bin/bash bin/
# cp -p /lib/{ld-linux.so.2,libc.so.6,libdl.so.2,libtermcap.so.2} lib/
# mknod dev/null c 1 3
# mknod dev/zero c 1 5
# chmod 0666 dev/{null,zero}
# mkdir -p /chroot/home/joe

With the above, user joe can ssh in and will be restricted to the chroot. Unfortunately, this doesn’t do much, but it gives you an idea of how it can be set up. Depending on what you want to provide, you will need to install additional libraries and binaries.


The Ubuntu Community Website says

Creating a chroot

  1. Install the dchroot and debootstrap packages.

  2. As an administrator (i.e. using sudo), create a new directory for the chroot. In this procedure, the directory /var/chroot will be used. To do this, type sudo mkdir /var/chroot into a command line.

  3. As an administrator, open /etc/schroot/schroot.conf in a text editor. Type cd /etc/schroot, followed by gksu gedit schroot.conf. This will allow you to edit the file.

  4. Add the following lines into schroot.conf and then save and close the file. Replace your_username with your username.

    [lucid] description=Ubuntu Lucid location=/var/chroot priority=3 users=your_username groups=sbuild root-groups=root

Open a terminal and type:

sudo debootstrap --variant=buildd --arch i386 lucid /var/chroot/ \ 
http://mirror.url.com/ubuntu/

This will create a basic 'installation' of Ubuntu 10.04 (Lucid Lynx) in the chroot. It may take a while for the packages to be downloaded. Note: You can replace lucid with the Ubuntu version of your choice. Note: You must change the above mirror.url.com with the URL of a valid archive mirror local to you. A basic chroot should now have been created. Type sudo chroot /var/chroot to change to a root shell inside the chroot.

Setting-up the chroot

There are some basic steps you can take to set-up the chroot, providing facilities such as DNS resolution and access to /proc.

Note: Type these commands in a shell which is outside the chroot.

Type the following to mount the /proc filesystem in the chroot (required for managing processes):

sudo mount -o bind /proc /var/chroot/proc  

Type the following to allow DNS resolution from within the chroot (required for Internet access):

sudo cp /etc/resolv.conf /var/chroot/etc/resolv.conf 

Very few packages are installed by default in a chroot (even sudo isn't installed). Use apt-get install package_name to install packages.

RedGrittyBrick

Posted 2011-06-18T22:06:14.593

Reputation: 70 632

16

Your best bet, IMHO, is to set up a ssh chroot jail, i.e., a minimum bash environment on the /var/www/example.com/ dir. To do so, you can follow:

celebdor

Posted 2011-06-18T22:06:14.593

Reputation: 826