How to restrict server users to a specific directory in Linux

Have to have to lock down that Linux server so certain remote people can only obtain a specific listing and only for file upload and obtain uses? Jack Wallen demonstrates you how.

When you have a server with SSH entry, unless of course you’ve got configured it normally, any consumer with an account on that program can log in and, if they have the permissions and ability, wreak havoc on your server.

SEE: 40+ open resource and Linux phrases you need to know (TechRepublic Premium)

You will not want that. 

What you can do is limit these users with a chroot jail. By carrying out this you seriously restrict what individuals people can do on your process. In simple fact, any consumer who is constrained to a chroot jail can:

  1. Only entry the server via sftp
  2. Only entry a specific listing

This is a fantastic stability addition to your Linux servers, and if you need such a use situation, take into account it a have to-do. This is in particular critical if you have a server that homes sensitive facts and you never want users even viewing these documents and folders.

This setup isn’t really all that demanding. In actuality, the configuration is a great deal simpler than obtaining approaches to deploy the element. But on those occasions when you do have to have to seriously restrict what a person can obtain on your Linux servers, this is a person guaranteed-fire way of performing so.

What you may need to have

To make this work, you will have to have a working occasion of Linux and a consumer with sudo privileges. That is it. Let’s make some security magic.

How to generate a limited team and incorporate end users on a Linux server

The to start with detail we must do is generate a new group and include consumers to it. Build the group with:

sudo groupadd restricted

Upcoming, incorporate a user to the team with the command:

sudo usermod -g limited USERNAME

Wherever USERNAME is the consumer you want to insert to the restricted group.

SEE: Linux turns 30: Celebrating the open source functioning process (free PDF) (TechRepublic)

How to configure SSH

Open up the SSH daemon configuration file with:

sudo nano /and so on/ssh/sshd_config

Glance for the line (around the base):

Subsystem sftp  /usr/lib/openssh/sftp-server

Modify that line to:

Subsystem sftp inner-sftp

At the base of the file, incorporate the following:

Match team limited
  ChrootDirectory /residence/
  ForceCommand inside-sftp
  AllowTcpForwarding no
  X11Forwarding no

Conserve and shut the file. Restart SSH with:

sudo systemctl restart ssh

Now, go back again to a different equipment and attempt to SSH into the server with the consumer, these as:

ssh olivia@192.168.1.147

You can see the warning:

This services lets sftp connections only.
Connection to 192.168.1.147 closed.

In get for any person in the restricted team to log into the server, they ought to use sftp like so:

sftp USERNAME@SERVER

In which USERNAME is the username and SERVER is the IP tackle or domain of the server. Once they successfully log in, they’re going to be at the sftp prompt wherever they can transfer documents back again and forth with the place and get instructions. Those restricted buyers can only add documents to their property directories. When a limited person initially logs in, they will be in the /property directory. So, to effectively add, they would have to transform into their home listing with a command like:

cd olivia

The moment in their dwelling directory, they can then problem a command like:

set file1

As extended as that file is in the present performing directory of the equipment they logged into the server from, it will add just fantastic. If those people only need to have to down load documents to their local device, they’d use a command like:

get file1

I recognize this is a very restricting configuration with pretty minimal use conditions, but at some point in your Linux admin profession, you happen to be going to operate into an instance where you need to restrict people to logging into a chroot jail. This is one particular way to do it. 

Subscribe to TechRepublic’s How To Make Tech Do the job on YouTube for all the most current tech tips for small business pros from Jack Wallen.

Also see

View of a Server room data center - 3d rendering

Impression: Production Perig/Shutterstock

Fibo Quantum