Explain how to set the permissions of SFTP service user directory in Linux system

preface

When we are working or studying, we often encounter the requirement of restricting one Linux user to add, modify and delete operations only in the specified directory, and he can only use sftp to log in the server, not ssh. These can be implemented by configuring the sftp service.

Methods the following

sftp services are provided by vsftpd and internal-sftp. internal-sftp comes with the system. The operation steps are as follows:

1. Create a new user ui, prohibit ssh from logging in, and do not create a home directory

useradd -s /sbin/nologin -M www

2. Set the user password

passwd www

3. Create the user's root directory so that the user can only be active in this directory

mkdir /home/www

4. Set the permission of the directory. The permission setting of the directory has two points:

The directory owner can only be root from directory 1 up to system root

You can't have group write permissions until you go from directory 1 up to system root

chown root:root /home/www
chmod 755 /home/www

5. Configuration sshd_config

vim /etc/ssh/sshd_config

6. Change it to the following and save and exit

# Comment out the line 
#Subsystem  sftp /usr/libexec/openssh/sftp-server
# Add at the end of the configuration file 
Subsystem sftp internal-sftp  # Specify the use sftp The service is built into the system internal-sftp
Match User www      # Match users, if multiple groups are to be matched, the groups are separated by commas 
ChrootDirectory /home/www   # with chroot The root directory of the user is specified, chroot The meaning of: http://www.ibm.com/developerworks/cn/linux/l-cn-chroot/
ForceCommand internal-sftp  # The specified sftp The command 
X11Forwarding no    # These two lines are added if you don't want the user to be able to use port forwarding, otherwise delete 
AllowTcpForwarding no

7. Restart the sshd service

service sshd restart

8. Test:

After the user logs in, he/she enters /home/www, which is the root directory of the user. The root directory cannot be written, so he/she USES root to create a new ui directory in /home/www

mkdir /home/www/ui

Modify directory owner and permissions

chown ui:ui /home/www/ui
chmod 777 /home/www/ui
# You can create soft connection points in other directories ui directory 
#ln -s /home/www/ui /www/

sftp log in www user, enter the ui directory, and you can add, modify and delete files under /home/www/ui

sftp -oPort=22 ui@123.56.18.72
sftp> cd ui

conclusion

The above is the whole content of this article, I hope the content of this article to your study or work can bring 1 definite help, if you have questions you can leave a message to communicate.