How to chroot a user in Ubuntu 12.04

External parties often need to upload data to your application. Sadly, most ask for a FTP server. Push back against this and suggest they use sFTP.

This article explains how to set-up a chroot-ed user in Ubuntu 12.04 so that an external party can upload data to your application securely.

This is mainly for my own reference.

User set-up

Create user with a dummy shell:

$ adduser --shell=/bin/false barry

and alter the ownership and permissions of their home folder:

$ chown root:barry /home/barry
$ chmod 755 /home/barry

Now create a folder to upload to:

$ mkdir /home/barry/uploads
$ chown barry:barry /home/barry/uploads
$ chmod 755 /home/barry/uploads

SSH config

Edit /etc/ssh/sshd_config and comment out the line:

Subsystem sftp /usr/lib/openssh/sftp-server

and add the following at the bottom of the file:

Subsystem sftp internal-sftp
Match User barry
    ChrootDirectory %h
    ForceCommand internal-sftp
    X11Forwarding no
    AllowTCPForwarding no

then restart SSH:

$ /etc/init.d/ssh restart

The new user should now be able to sFTP.

Further reading

----

Tagged with: ubuntu
Filed in: tips
Revision history

Previous: Prefer WebTest to Django's test client for functional tests
Next: Effective pull requests and other good practices for teams using github

Copyright © 2005-2017 David Winterbottom
Content licensed under CC BY-NC-SA 4.0.