sftp-restrict user access to directories

sftp login to the specified directory

Modify sshd configuration: /etc/ssh/sshd_config

#Subsystem      sftp    /usr/lib/openssh/sftp-server
Subsystem       sftp    internal-sftp  # Change to internal-sftp

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server

Match User test
       ChrootDirectory /sftpdata/test
       X11Forwarding no
       AllowTcpForwarding no
       PermitTTY no
       ForceCommand internal-sftp  # Specified as sftp command, ssh cannot log in

Match Group sftpgroup
       ChrootDirectory /sftpdata/%u
       X11Forwarding no
       AllowTcpForwarding no
       PermitTTY no
       ForceCommand internal-sftp

Match Group sftpgroup

ChrootDirectory /data/sftp/%u # Set the root folder accessed by users belonging to the user group sftpgroup. %h represents the user’s home directory, and %u represents the user name.

ForceCommand internal-sftp

AllowTcpForwarding no

X11Forwarding no

ChrootDirectory directory permissions:

ChrootDirectory directory permissions and all parent directory permissions, the owner and group must be root, the maximum permission is 755.

Create an sftp user

Specify the root directory of sftp and cannot log in

# Create the sftpgroup group
groupadd sftpgroup

# Create user1
useradd user1 -g sftpgroup -d /sftpdata/user1 -s /sbin/nologin
passwd user1

# Create other users, etc.
useradd otheruser -g sftpgroup -d /sftpdata/otheruser -s /sbin/nologin
passwd otheruser

The user cannot log in, but has his own shell home directory and can su to switch

# Create a user normally
adduser tt

usermod tt -g sftpgroup

Because ForceCommand internal-sftp limits only sftp and cannot log in, but the user can switch by su.

Create the root directory of sftp and set the corresponding permissions

Because the owner of ChrootDirectory is root and the permissions are set to 755, non-privileged users (such as SFTP users) cannot create new directories or files in the directory. This is because the permission 755 means that only the owner of the directory (i.e. root) can write to it.

If you want the SFTP user to be able to create directories or upload files, you need to give the user write permissions in one of the subdirectories of ChrootDirectory.

Taking user1 as an example, the following are the steps:

1. Create a user-writable subdirectory：

   • Create a subdirectory inside /sftpdata/user1, for example uploads.

   • Change the owner of the subdirectory to belong to a specific SFTP user

   mkdir /sftpdata/user1/uploads
   
   chown user1:user1 /sftpdata/user1/uploads
   
   chmod 777 /sftpdata/oasis/uploads  # Or set it to 777 as needed

2. User Action:

   • When a user connects to SFTP and goes to the uploads directory, they should be able to create directories and files since they have write permissions in this subdirectory.