I run a server (Ubuntu 18.04) that hosts about a dozen websites using Linode. Most of the sites are run using WordPress and are my own or sites I manage for friends or family. I do, however, host one for a colleague who actively develops online content for that site.
As WordPress has developed, the ability to upload various file types has slowly been removed for security reasons. As a result, for certain types of files, it is now required to upload them using a different approach. I can do so using SSH, but GUI FTP/SFTP software was going to be easier in this situation as the person responsible for managing that site doesn’t have a lot of knowledge managing a website. I explained to this person, we’ll call her Sharon, that it would be possible for her to upload these files herself using FTP/SFTP. She was worried as she doesn’t know what that is or how to use it. But I explained it and, hopefully, she’ll grow more comfortable with it.
However, I don’t want a novice to gain access to all the files on my server. So, I was faced with the question of how to set up an FTP/SFTP account for someone that is restricted to just one folder – a folder where she can upload stuff and delete files, but with no access to anything else.
Here’s how I did it.
First, you should create a new user group on your server. This can be done with the following command:
sudo addgroup --system GROUPNAME
This will add a new user group called GROUPNAME (I called mine “ftpusers”). If this individual isn’t currently a user on your server, add them as a user as well:
sudo adduser --shell /bin/false USER
Replace “USER” with whatever name you’re using for this individual, for me it was “sharon.” You’ll need to create a password for your USER and fill in some additional information. Then add your USER to your GROUPNAME with the following command:
sudo usermod -a -G GROUPNAME USER
Or my command:
sudo usermod -a -G ftpusers sharon
So, you have now created a new group and a new user and added the new user to the new group. Of course, the next step is to restrict what your new USER can do. In particular, we want the user to have access to just a single directory. Here’s how that is done.
You can create a directory the user can use:
sudo mkdir -p /var/sftp/NEWFOLDER
This folder can be anywhere on your server. I put mine in a subfolder on their wordpress installation:
sudo mkdir -p /var/web/DOMAIN/public/wp-content/uploads/NEWFOLDER
Now, we need to tell the server to restrict USER to this NEWFOLDER when they login. First, let’s give ownership of that folder to the user with the chown command:
sudo chown USER:GROUPNAME /var/sftp/NEWFOLDER
We should also make sure the permissions for the new folder are what we want them to be – read/write for the user and group:
sudo chmod 755 /var/sftp/NEWFOLDER
If you navigate to that folder and check the settings, you should see that the owner is now the USER and the GROUPNAME (you can check with “ls -l”). It’s not a bad idea to also check to make sure that the folder above it is owned by “root” or your primary user, which will prevent your new USER from being able to make changes to that folder.
So far, we have a new USER and GROUPNAME and the user has a folder they can access. However, we need to tell the server that the user needs SFTP access and then need to force them to go to just that one folder when they login with SFTP.
To grant them SFTP access, you need to change the SSH settings:
sudo nano /etc/ssh/sshd_config
This will open the file “sshd_config” with a text editor (nano) so you can make changes. At the end of the file, you want to add the following text:
Match User GROUPNAME
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /var/sftp/NEWFOLDER
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
This allows users in the group GROUPNAME SFTP access to the folder you created for them.
Before you close the nano session with “sshd_config”, you may have to change one other setting. Look for a line that says:
Subsystem sftp /usr/lib/openssh/sftp-server
Mine was not commented out, so that setting was active. However, given the settings we just added to the file, we need to change that. Comment out that line:
#Subsystem sftp /usr/lib/openssh/sftp-server
Below that line, add the following line:
Subsystem sftp internal-sftp
I’m guessing that the original line specified a location for the sftp-server to be used by the server but we want the server to determine the best location for the sftp-server it is going to use and that’s what the second line does. (Alternatively, in the text added to “sshd_config” the line “ForceCommand internal-sftp” could probably be left off, meaning you wouldn’t have to do the step I just described. I haven’t tried that, but it may work.)
Anyway, when you’re done editing the “sshd_config” file, save it and exit from nano.
Finally, to make sure that the new USER is forced into the specified folder when they login, you have to make one more change. This changes the home directory for the user so they are forced into that directory when they login. Here’s the command.
usermod -d /var/sftp/NEWFOLDER USER
This makes the folder you created (NEWFOLDER) the home directory for the USER so, when they log in using SFTP, they will be forced directly into that folder.
There you have it. You have a new user in a group with restricted SFTP access and the user will be forced directly into the folder you created where they can upload, modify, and delete content. They will not have access to anything else on the server, so the rest of your content will be safe.
Acknowledgments: I figured all of the above out with help from these sites: here, here, here, and here.
UPDATE: 07-23-2021. This didn’t work with Ubuntu server 20.04. I had to make a few modifications based on this website’s directions. I need to figure out which changes worked, precisely. Then I’ll make a note of them here.
