How to restrict a user to one folder and not allow them to move out his folder

  • I have ubuntu server on digitalocean and I want to give someone a folder for their domain on my server, my problem is, I don't want that user to see my folders or files or to be able to move out their folder.

    How can I restrict this user in their folder and not allow to him to move out and see other files/directories ?

    You might want to use separate user accounts for that purpose.

    chmod is not good solution because i can't use it for all the folder in my server i used before he can move out his folder

    actually i have no idea about group because i didn't use it before can you just explain to me what the benefit of it ?

  • badr aldeen

    badr aldeen Correct answer

    5 years ago

    I solved my problem by this way:

    Create a new group

    $ sudo addgroup exchangefiles

    Create the chroot directory

    $ sudo mkdir /var/www/GroupFolder/
    $ sudo chmod g+rx /var/www/GroupFolder/

    Create the group-writable directory

    $ sudo mkdir -p /var/www/GroupFolder/files/
    $ sudo chmod g+rwx /var/www/GroupFolder/files/

    Give them both to the new group

    $ sudo chgrp -R exchangefiles /var/www/GroupFolder/

    after that I went to /etc/ssh/sshd_config and added to the end of the file:

    Match Group exchangefiles
      # Force the connection to use SFTP and chroot to the required directory.
      ForceCommand internal-sftp
      ChrootDirectory /var/www/GroupFolder/
      # Disable tunneling, authentication agent, TCP and X11 forwarding.
      PermitTunnel no
      AllowAgentForwarding no
      AllowTcpForwarding no
      X11Forwarding no

    Now I'm going to add new user with obama name to my group:

    $ sudo adduser --ingroup exchangefiles obama

    Now everything is done, so we need to restart the ssh service:

    $ sudo service ssh restart

    notice: the user now can't do any thing out file directory I mean all his file must be in file Folder.

    I switched users as `sudo su - obama` and still it can see others' files @badr

License under CC-BY-SA with attribution

Content dated before 6/26/2020 9:53 AM