How to restrict a user to one folder and not allow them to move out his folder
I solved my problem by this way:
Create a new group
$ sudo addgroup exchangefiles
Create the chroot directory
$ sudo mkdir /var/www/GroupFolder/
$ sudo chmod g+rx /var/www/GroupFolder/
Create the group-writable directory
$ sudo mkdir -p /var/www/GroupFolder/files/
$ sudo chmod g+rwx /var/www/GroupFolder/files/
Give them both to the new group
$ sudo chgrp -R exchangefiles /var/www/GroupFolder/
after that I went to /etc/ssh/sshd_config
and added to the end of the file:
Match Group exchangefiles
# Force the connection to use SFTP and chroot to the required directory.
ForceCommand internal-sftp
ChrootDirectory /var/www/GroupFolder/
# Disable tunneling, authentication agent, TCP and X11 forwarding.
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
Now I'm going to add new user with obama name to my group:
$ sudo adduser --ingroup exchangefiles obama
Now everything is done, so we need to restart the ssh service:
$ sudo service ssh restart
notice: the user now can't do any thing out file
directory
I mean all his file must be in file Folder.
Restrictions are a sensible issue, and it must be defined consistently. What you can do is to define a restricted shell for the user as his default shell.
For example, setting /bin/rksh
(a restricted kornshell) instead of the user's predefined shell as the default shell for that user in /etc/profile
.
NOTE: if the executable with this name is not existing on your system then create a hard link ln /bin/ksh /bin/rksh
and ksh
will determine by its name whether it's restricted or not.
The restricted shell will (for example) prevent doing a cd
command, or specifying a command with a /
(an explicit path) in the invocation, and it disallows changing the PATH
, SHELL
, or ENV
variable, and output redirections are also prohibited.
You can still provide predefined shell scripts to the user that will (under the script implementors control!) allow the user to run that specific script(s) in an unrestricted environment.
The command chroot
allows you to create a restricted root for a user, this question explains the concept of chroot
and how to use it.
Update: Searching for chroot jail set up on digital ocean, brings up further documentation specific to their environment. Here's a couple which I think are related to what you might need.
How To Configure Chroot Environments for Testing on an Ubuntu 12.04 VPS
How to allow restriced SSH access to chroot jailed user
Here's one which relates to jailkit, which FloHimself suggested.