How to restrict a user to one folder and not allow them to move out his folder

I solved my problem by this way:

Create a new group

$ sudo addgroup exchangefiles

Create the chroot directory

$ sudo mkdir /var/www/GroupFolder/
$ sudo chmod g+rx /var/www/GroupFolder/

Create the group-writable directory

$ sudo mkdir -p /var/www/GroupFolder/files/
$ sudo chmod g+rwx /var/www/GroupFolder/files/

Give them both to the new group

$ sudo chgrp -R exchangefiles /var/www/GroupFolder/

after that I went to /etc/ssh/sshd_config and added to the end of the file:

Match Group exchangefiles
  # Force the connection to use SFTP and chroot to the required directory.
  ForceCommand internal-sftp
  ChrootDirectory /var/www/GroupFolder/
  # Disable tunneling, authentication agent, TCP and X11 forwarding.
  PermitTunnel no
  AllowAgentForwarding no
  AllowTcpForwarding no
  X11Forwarding no

Now I'm going to add new user with obama name to my group:

$ sudo adduser --ingroup exchangefiles obama

Now everything is done, so we need to restart the ssh service:

$ sudo service ssh restart

notice: the user now can't do any thing out file directory I mean all his file must be in file Folder.


Restrictions are a sensible issue, and it must be defined consistently. What you can do is to define a restricted shell for the user as his default shell.

For example, setting /bin/rksh (a restricted kornshell) instead of the user's predefined shell as the default shell for that user in /etc/profile.

NOTE: if the executable with this name is not existing on your system then create a hard link ln /bin/ksh /bin/rksh and ksh will determine by its name whether it's restricted or not.

The restricted shell will (for example) prevent doing a cd command, or specifying a command with a / (an explicit path) in the invocation, and it disallows changing the PATH, SHELL, or ENV variable, and output redirections are also prohibited.

You can still provide predefined shell scripts to the user that will (under the script implementors control!) allow the user to run that specific script(s) in an unrestricted environment.


The command chroot allows you to create a restricted root for a user, this question explains the concept of chroot and how to use it.

Update: Searching for chroot jail set up on digital ocean, brings up further documentation specific to their environment. Here's a couple which I think are related to what you might need.

How To Configure Chroot Environments for Testing on an Ubuntu 12.04 VPS

How to allow restriced SSH access to chroot jailed user

Here's one which relates to jailkit, which FloHimself suggested.