Easy methods to limit server customers to a particular listing in Linux
4 mins read

Easy methods to limit server customers to a particular listing in Linux

Easy methods to limit server customers to a particular listing in Linux


Must lock down that Linux server so sure distant customers can solely entry a particular listing and just for file add and obtain functions? Jack Wallen reveals you ways.

View of a Server room data center - 3d rendering

Picture: Manufacturing Perig/Shutterstock

When you’ve a server with SSH entry, except you have configured it in any other case, any consumer with an account on that system can log in and, if they’ve the permissions and ability, wreak havoc in your server.

SEE: 40+ open supply and Linux phrases you want to know (TechRepublic Premium)

You don’t need that. 

What you are able to do is limit these customers with a chroot jail. By doing this you severely restrict what these customers can do in your system. In actual fact, any consumer who is restricted to a chroot jail can:

  1. Solely entry the server through sftp
  2. Solely entry a particular listing

It is a nice safety addition to your Linux servers, and should you require such a use case, contemplate it a must-do. That is particularly necessary when you’ve got a server that homes delicate knowledge and you don’t need customers even viewing these recordsdata and folders.

This setup is not all that difficult. In actual fact, the configuration is way simpler than discovering methods to deploy the characteristic. However on these events once you do have to severely limit what a consumer can entry in your Linux servers, that is one sure-fire method of doing so.

What you will want

To make this work, you will want a working occasion of Linux and a consumer with sudo privileges. That is it. Let’s make some safety magic.

Easy methods to create a restricted group and add customers on a Linux server

The very first thing we should do is create a brand new group and add customers to it. Create the group with:

sudo groupadd restricted

Subsequent, add a consumer to the group with the command:

sudo usermod -g restricted USERNAME

The place USERNAME is the consumer you need to add to the restricted group.

SEE: Linux turns 30: Celebrating the open supply working system (free PDF) (TechRepublic)

Easy methods to configure SSH

Open the SSH daemon configuration file with:

sudo nano /and so on/ssh/sshd_config

Search for the road (close to the underside):

Subsystem sftp  /usr/lib/openssh/sftp-server

Change that line to:

Subsystem sftp internal-sftp

On the backside of the file, add the next:

Match group restricted
  ChrootDirectory /dwelling/
  ForceCommand internal-sftp
  AllowTcpForwarding no
  X11Forwarding no

Save and shut the file. Restart SSH with:

sudo systemctl restart ssh

Now, return to a different machine and try to SSH into the server with the consumer, reminiscent of:

ssh olivia@192.168.1.147

You will see the warning:

This service permits sftp connections solely.
Connection to 192.168.1.147 closed.

To ensure that any consumer within the restricted group to log into the server, they need to use sftp like so:

sftp USERNAME@SERVER

The place USERNAME is the username and SERVER is the IP tackle or area of the server. As soon as they efficiently log in, they’re going to be on the sftp immediate the place they will switch recordsdata backwards and forwards with the put and get instructions. These restricted customers can solely add recordsdata to their dwelling directories. When a restricted consumer initially logs in, they’re going to be within the /dwelling listing. So, to efficiently add, they must develop into their dwelling listing with a command like:

cd olivia

As soon as of their dwelling listing, they will then difficulty a command like:

put file1

So long as that file is within the present working listing of the machine they logged into the server from, it will add simply advantageous. If these customers solely have to obtain recordsdata to their native machine, they’d use a command like:

get file1

I understand this can be a very limiting configuration with very restricted use circumstances, however in some unspecified time in the future in your Linux admin profession, you are going to run into an occasion the place you want to restrict customers to logging right into a chroot jail. That is one strategy to do it. 

Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the newest tech recommendation for enterprise execs from Jack Wallen.

Additionally see

Leave a Reply

Your email address will not be published. Required fields are marked *