Sandboxing SFTP users    Posted:


I figured I'd write down as I fix a basic sandboxing for my web users on my VPS. In my haste to set up the domains I missed that they could pull down the entire filesystem. Oops :). A small how-to enable sandbox (chroot) in OpenSSH:

Add the following lines to /etc/ssh/sshd_config. It will match any user in the sftpusers group for the sandboxing.

Match Group sftpusers
   ChrootDirectory /home/%u
   ForceCommand internal-sftp
   AllowTcpForwarding no
   X11Forwarding no

Create and set home directory for said user. I moved my sites to their own /home/ directory.

mkdir /home/<username>
usermod <username> -d /home/<username>
usermod <username> -G sftpusers -a

This should now sandbox the user to it's own home directory.

More detailed info and the guide I followed found here: https://wiki.archlinux.org/index.php/SFTP_chroot