Home / server / Questions / 371088
Accepted
David Wadge
Asked: 2012-03-20 03:11:11 +0800 CST

CentOS Adding a user restricted to one directory

  • 772

What's the easiest and standard way to create and restrict a new user to /var/www/ in CentOS ?

Edit: Ideally restricted to SCP only.

centos permissions

4 Answers

  1. Best Answer

    With a recent enough CentOS comes a new enough OpenSSH with chroot and internal-sftp features.

    First you need to configure OpenSSH to use the internal SFTP. This is done by adding this line to sshd.conf:

    Subsystem sftp internal-sftp

    Then you can add rules for restricting users / groups to their home directories:

      Match user restrictedjoe
  ChrootDirectory /var/www
  X11Forwarding no
  AllowTcpForwarding no
  ForceCommand internal-sftp

    Or for groups

      Match group restrictedgroup
  ChrootDirectory /var/www
  X11Forwarding no
  AllowTcpForwarding no
  ForceCommand internal-sftp
    • 5

  2. I am not aware of a "stadard way" but one method to do this is to create a so called "jail" for the user where his/her jail is /var/www. This can be done by creating a chroot jail. See the chroot command. The jail can also control what the user can do in the jail ie which commands/programs can be run.

    • 1

  3. Based on your reply to my comment, I wouldn't give the user a full shell. This makes the task far easier. There are a few shell replacements that come to mind which can be used to allow the user to manage files and nothing else:

    I've personally used scponlyc a few times. It even includes scripts to set up chroot jails for you (github wiki)

    • 1

  4. My favorite why is installing mysecureshell

    http://mysecureshell.sourceforge.net/

    It's the most config friendly option. You can do a lot of great things with it

    • 1