How do I restrict each user to a certain (and different) directory on SFTP

Support for security such as Firewalls and securing linux
Post Reply
NTekNiklaus
Posts: 2
Joined: 2020/06/29 20:09:54

How do I restrict each user to a certain (and different) directory on SFTP

Post by NTekNiklaus » 2020/06/29 20:16:56

Hello, am running CentOS 8.2 and I have three services running on this VM, Steam, Minecraft, and a website. They are all within their own user accounts. What I want to do is I still want to be able to use on all these accounts, but I don't want them to be within the home directory. What I am looking at doing is getting SFTP to only allow access to the folders in each directory, all of which are named differently, but within /home. Is there any way I can do that?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: How do I restrict each user to a certain (and different) directory on SFTP

Post by TrevorH » 2020/06/29 20:22:03

Can you give an example?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

NTekNiklaus
Posts: 2
Joined: 2020/06/29 20:09:54

Re: How do I restrict each user to a certain (and different) directory on SFTP

Post by NTekNiklaus » 2020/06/29 23:23:23

Sure. Let's use my website and Half-Life server for example since one has a different situation.

The website is under a user named web. It is in the wheel group and I sign in whenever I need to mess with the website. I set a redirect for /var/www/html to /home/web/(redacted).

I'll redact the folder name where the website is stored as it has the website name.

On the other hand, my Half-Life server is under a user named steam, in the steam home folder there is another folder named steam, and lastly, hlserver. Half-Lifes executible runs out of there.

So what I want to do is this.
For steam, I want SFTP to only be able to access /home/steam/steam/hlserver.
For web, I want SFTP to only be able to access /home/(redacted)

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: How do I restrict each user to a certain (and different) directory on SFTP

Post by jlehtone » 2020/06/30 06:13:50

I think you should look for "SFTP chroot".

User avatar
KernelOops
Posts: 428
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: How do I restrict each user to a certain (and different) directory on SFTP

Post by KernelOops » 2020/06/30 06:58:56

Its fairly easy to do, by restricting home directory access. I do that regularly for my websites.

For example, if I have three websites like:

/home/web1
/home/web2
/home/web3

then I make sure their group/world permissions are restricted, like:

chmod go-wrx /home/web1
chmod go-wrx /home/web2
chmod go-wrx /home/web3

thus, the sftp user web1 can't change to /home and then move to another home directory like web2 or web3.

further into this, php is setup accordingly with open_basedir restrictions, and each apache domain is also restricted the same way.
--
R.I.P. CentOS :cry:
--

Post Reply