Sandboxing SFTP users Posted:
I figured I'd write down as I fix a basic sandboxing for my web users on my VPS. In my haste to set up the domains I missed that they could pull down the entire filesystem. Oops :). A small how-to enable sandbox (chroot) in OpenSSH:
Add the following lines to /etc/ssh/sshd_config. It will match any user in the sftpusers group for the sandboxing.
Match Group sftpusers ChrootDirectory /home/%u ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding no
Create and set home directory for said user. I moved my sites to their own /home/ directory.
mkdir /home/<username> usermod <username> -d /home/<username> usermod <username> -G sftpusers -a
This should now sandbox the user to it's own home directory.
More detailed info and the guide I followed found here: https://wiki.archlinux.org/index.php/SFTP_chroot