The goal of this article is to provide solutions and approaches for a limited shared hosting environment. Now with modern container technology below techniques may be combined with mounted shares to create an even greater level of safety.
Approach 1 - Restricted SFTP Only Access
With this approach, you are only granting the user only access via SFTP to specific directory. Shell access will not be granted.
Enable SFTP Only Shell
There is an sftp shell available which prevents users logging into a normal shell. Register the sftp shell with the operating system,
sudo echo '/usr/lib/sftp-server' >> /etc/shells
Now any user can be restricted to sftp only access by changing that user's shell,
usermod jolsen -s /usr/lib/sftp-server
Restrict Folder Access
There are many ways of doing this. We will opt with the simplest approach. Users will be restricted to their set home directories. To easily add and remove users the unix groups will be used.
Modify ssh_config with your favourite editor,
vi /etc/ssh/sshd_config
Add to the bottom of the file,
Match group sftprestricted ForceCommand internal-sftp ChrootDirectory /home/%u # Optional increased security directives X11Forwarding no AllowTcpForwarding no
In order for this to work, root should own the home folder. By default this is the case with Ubuntu and most *nix systems.
Shell Access
rbash (restricted shell) restricts capabilities available to an interactive user session, or to a shell script, running within it. It provides an additional layer of security for general users only. More advanced users may write programs that can break out of rbash.
Further lock down the system using permissions and or ACLs.
Research
How to configure sftp to lock down directory with groups - http://www.debian-administration.org/articles/590
scponly sounded like a quick easy solution but did not get a good feeling when reading the docs as it sounds complicated - https://github.com/scponly/scponly/wiki