How to add an ssh user who only has permissions to access specific folder?
useradd -d /var/www/xyz.com.tr/musteri -s /bin/bash -g sshd musteri
I created a user called musteri. I set its home folder and group.
So, I want to integrate musteri users into “/var/www/xyz.com.tr/musteri”. I don’t want it to access another folder.
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
It sounds like you want your müşteriler to have file transfer access to a folder without actually giving them shells. This is a good thing because as binfalse pointed out, giving people shells with limited access is tricky because shells need to access all kinds of things scattered on the system just to run.
In order to give SFTP access to a specific folder, you can do something like this.
- Add a new group to the system, say ‘sftponly’.
- Add any users on your system that should have restricted rights to this group. You could also give them restricted shells like /bin/true, but it’s not required.
- Change your ssh config file (Usually
/etc/ssh/sshd_config) with these lines
Subsystem sftp internal-sftp
Match Group sftponly
ChrootDirectory %h
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
This would activate the sftp subsystem inside of SSH and force members of that system group to use only that system when logging in. It would also chroot them to their home directories. You could change that to be a sub-folder of their home-directores as well with something like ChrootDirectory %h/musteri_sftp so that they couldn’t se the rest of their system files but would login directly to a special subfolder of their home folder.
Kolay gelsin.
Method 2
In my opinion this is very difficult, if not impossible. When the user connects via SSH he at least needs a shell, in your case the bash. To execute /bin/bash he needs permissions to access /bin. bash itself needs to read some stuff from /etc (e.g. /etc/bash.bashrc), so the user needs also access to /etc. Assuming the user doesn’t only want to hang around in this directory, he might want to read a file, but to execute for example vim he needs also access to /usr/bin.
This is just a slight demonstration, there are some more dependencies, e.g. I don’t really know what will happen if the user doesn’t have access to /tmp..
You should think about your intention. Do you just want somebody to have read/write access to a part of your web service? Then you might set up something like FTP to export a specific directory to this user. So he is able to read/write this files without SSH access.
Another nice solution would be a repository. For example set up a GIT repo and let the user clone it. He can do his changes locally and send you a patch. You can decide whether to apply this patch or not, a rollback for buggy patches is also very easy.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0