Velvet Star Monitor

Standout celebrity highlights with iconic style.

updates

SFTP User with access to specific folder only - permission denied to create files

Writer Sebastian Wright

So I am trying to create a user that only has access to a specific folder inside my public_html folder. I have successfully created the user and I am able to login. I had some troubles logging in, in the start, because the folder had to be owned by root, before the sftp user could sftp.

So I followed this guide: - instructing me to change ownership of the folder to root.

After doing this, I can successfully login, however, once I login, I am unable to add files or do anything within this folder, since it is owned by root.

I tried creating a group, and adding the root user and the sftp user as members of this group, but that didn't work either.

My work around was to create another directory inside the sftp folder, using root user, and then afterwards changing ownership to the sftp user, but this seems too hacky to me and addtionally adds another folder to the tree structure which I am not a huge fan of.

Any ideas how to allow a sftp user write access to a folder, while root remains the owner?

1

1 Answer

There's a lot of chatter about this kind of thing across a few stack exchange sites. But in case this is not a duplicate ...

In my CentOS 7 when you use ChrootDirectory to restrict a user to a directory, that directory has to be owned by root and it cannot allow write access to any other user either by permissions or FACLs. You can set up a symbolic link but the sftp user will not be able to follow it if s/he's restricted to a directory. So you have to do this.

Create a user

useradd ftp_user

set up password

passwd ftp_user

Set up permissions. His home dir is going to be his jail.

chown root:root /home/ftp_user
chmod 0755 /home/ftp_user

Restrict the user to that jail now

vi /etc/ssh/sshd_config

Change this:

#Subsystem sftp /usr/lib/openssh/sftp-server

to

Subsystem sftp internal-sftp

Add

Match User ftp_user ChrootDirectory %h ForceCommand internal-sftp AllowTCPForwarding no X11Forwarding no

Save and exit vi.

Don't forget:

systemctl restart sshd

Now we trick them. Let's say your client has a website that your going to let him keep playing with at /var/www/corny_website

Make sure he has permissions on that directory

setfacl -m u:ftp_user:rwx /var/www/corny_website
setfacl -d -m u:ftp_user:rwx /var/www/corny_website

Now you mount it instead of symlink to it.

mkdir /home/ftp_user/corny_website
mount --bind /var/www/corny_website /home/ftp_user/

Now when the user sftps. He won't get that broken pipe error, and he'll only be able to see /home/ftp_user and what's more, he'll only be able to upload to or download from /var/www/corny_website which he sees as /corny_website.

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

Similar Journal

View All

How was someone else watching my Arena battle live?

May 2026

How do subsequent playthroughs work?

May 2026

When should I use high gear?

May 2026

How do Steam Trading cards and the trade system work?

May 2026