Page tree
Skip to end of metadata
Go to start of metadata

The goal of this article is to provide solutions and approaches for a limited shared hosting environment. Now with modern container technology below techniques may be combined with mounted shares to create an even greater level of safety.

Approach 1 - Restricted SFTP Only Access

With this approach, you are only granting the user only access via SFTP to specific directory. Shell access will not be granted.

Enable SFTP Only Shell

There is an sftp shell available which prevents users logging into a normal shell. Register the sftp shell with the operating system,

sudo echo '/usr/lib/sftp-server' >> /etc/shells

Now any user can be restricted to sftp only access by changing that user's shell,

usermod jolsen -s /usr/lib/sftp-server

Restrict Folder Access

There are many ways of doing this. We will opt with the simplest approach. Users will be restricted to their set home directories. To easily add and remove users the unix groups will be used.

Modify ssh_config with your favourite editor,

vi /etc/ssh/sshd_config

Add to the bottom of the file,

Match group sftprestricted
    ForceCommand internal-sftp
    ChrootDirectory /home/%u
    # Optional increased security directives
    X11Forwarding no
    AllowTcpForwarding no

In order for this to work, root should own the home folder. By default this is the case with Ubuntu and most *nix systems.

Shell Access

rbash (restricted shell) restricts capabilities available to an interactive user session, or to a shell script, running within it. It provides an additional layer of security for general users only. More advanced users may write programs that can break out of rbash.

Further lock down the system using permissions and or ACLs.

Research

How to configure sftp to lock down directory with groups - http://www.debian-administration.org/articles/590

scponly sounded like a quick easy solution but did not get a good feeling when reading the docs as it sounds complicated - https://github.com/scponly/scponly/wiki

  • No labels