All Articles

Sandboxing SFTP users

I figured I’d write down as I fix a basic sandboxing for my web users on my VPS. In my haste to set up the domains earlier I missed that they could pull down the entire filesystem. Oops :). Here’s a small how-to enable sandbox (chroot) in OpenSSH.

Add the following lines to /etc/ssh/sshd_config. It will match any user in the sftpusers group for the sandboxing.

Match Group sftpusers
	ChrootDirectory /home/%u
	ForceCommand internal-sftp
	AllowTcpForwarding no
	X11Forwarding no

Create and set home directory for said user. I moved my sites to their own /home/ directory.

mkdir /home/<username>
usermod <username> -d /home/<username>
usermod <username> -G sftpusers -a

This should now sandbox the user to it’s own home directory.

More detailed info and the guide I followed found here: https://wiki.archlinux.org/index.php/SFTP_chroot

Published Oct 8, 2014

Security Engineer with a dash of software. Originally from Stockholm, now in Berlin. I like to hack things.