Explain how to set the permissions of SFTP service user directory in Linux system
- 2020-05-15 03:26:29
- OfStack
preface
When we are working or studying, we often encounter the requirement of restricting one Linux user to add, modify and delete operations only in the specified directory, and he can only use sftp to log in the server, not ssh. These can be implemented by configuring the sftp service.
Methods the following
sftp services are provided by vsftpd and internal-sftp. internal-sftp comes with the system. The operation steps are as follows:
1. Create a new user ui, prohibit ssh from logging in, and do not create a home directory
useradd -s /sbin/nologin -M www
2. Set the user password
passwd www
3. Create the user's root directory so that the user can only be active in this directory
mkdir /home/www
4. Set the permission of the directory. The permission setting of the directory has two points:
The directory owner can only be root from directory 1 up to system root
You can't have group write permissions until you go from directory 1 up to system root
chown root:root /home/www
chmod 755 /home/www
5. Configuration sshd_config
vim /etc/ssh/sshd_config
6. Change it to the following and save and exit
# Comment out the line
#Subsystem sftp /usr/libexec/openssh/sftp-server
# Add at the end of the configuration file
Subsystem sftp internal-sftp # Specify the use sftp The service is built into the system internal-sftp
Match User www # Match users, if multiple groups are to be matched, the groups are separated by commas
ChrootDirectory /home/www # with chroot The root directory of the user is specified, chroot The meaning of: http://www.ibm.com/developerworks/cn/linux/l-cn-chroot/
ForceCommand internal-sftp # The specified sftp The command
X11Forwarding no # These two lines are added if you don't want the user to be able to use port forwarding, otherwise delete
AllowTcpForwarding no
7. Restart the sshd service
service sshd restart
8. Test:
After the user logs in, he/she enters /home/www, which is the root directory of the user. The root directory cannot be written, so he/she USES root to create a new ui directory in /home/www
mkdir /home/www/ui
Modify directory owner and permissions
chown ui:ui /home/www/ui
chmod 777 /home/www/ui
# You can create soft connection points in other directories ui directory
#ln -s /home/www/ui /www/
sftp log in www user, enter the ui directory, and you can add, modify and delete files under /home/www/ui
sftp -oPort=22 ui@123.56.18.72
sftp> cd ui
conclusion
The above is the whole content of this article, I hope the content of this article to your study or work can bring 1 definite help, if you have questions you can leave a message to communicate.