Technology WordPress Tips & Tricks

How to Create an SFTP User with Limited Access on Ubuntu

Giving someone file access without handing over the keys takes a properly scoped account. Here is how to create an SFTP user with limited access on Ubuntu, so collaborators can do their job without risking your whole server.

Sumit Pore Sumit Pore 4 min read
How to Create an SFTP User with Limited Access on Ubuntu
restrict-ubuntu-sftp-user
Limit Access of an SFTP User

Hey Folks, I am back. I’ve been busy with client commitments, so didn’t have much time (not that I have a lot now, so let’s get straight to the point).

As a developer, some day or another, you will or already have come across a situation where a client has asked you for FTP access of your development site/server. The reason could be any… I’ve had some clients tell me:

  • I want to check the quality of your code…. okay
  • I want to add a new plugin…. ummm….. fine
  • I want to add some functionality developed by another vendor…. oookkaayy
  • I want to edit the code in some plugin….. oh…ok (panic mode on!)

Whatever the reason might be, you will have to grant access. But if you host all development sites on a single server, then you would be keen towards giving your client restrictive access to the server. This would mean the client would have access only to the directory allotted to him.

Since SFTP is secure than FTP, we always prefer the SFTP setup rather than FTP setup. (If you are new to SFTP, you can read about the key difference between FTP and SFTP. Others, read on.)

Restrictive SFTP User

Please note, the below process is applicable to Ubuntu, and I assume you have already created the site :D

Let’s assume the root directory of your site is /home/yoursite.com. So when running the below commands, change /home/yoursite.com to your site’s root directory.

Create a New User

Now, lets create a new user named ‘client_user’ and assign that user /home/yoursite.com directory as a home directory. Fire up your terminal to connect to your server. Once you are connected, below command can be used to create a user. Make sure you replace client_user with the username you prefer and /home/yoursite.com with the directory you want to assign to that user.

sudo useradd -d /home/yoursite.com client_user

(Interested in reading about other options which can be passed to useradd? If yes, then you can read through these examples.)

Set a Password

Once the user is created, we need to set a password. To set a password for that user, execute the below command

sudo passwd client_user

We are ready with the new user now. Its time to make some changes in our SSH configuration.

Restrict Access

Open the /etc/ssh/sshd_config file and append the below given code. (Remember to replace client_user with username you have created)

subsystem sftp internal-sftp
Match User client_user
ChrootDirectory %h
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp

%h stands for home directory.

After doing the above changes, save the file and restart the SSH service. To restart SSH service, execute

sudo service ssh restart

[space]

Done! Now try logging into the system with the new user’s credentials, and check if everything is working correctly.

One last tip: For those of you who get a ‘fatal: bad ownership or modes for chroot directory’ error, do not worry. When this issue occurs, we need to make sure that the home directory of a user is owned by root and no one else can write into that directory. So change the owner of home directory using the following commands:

sudo chown root:root /home/yoursite.com
sudo chmod 755 /home/yoursite.com

After changing the permissions, try it again. If it still does not work for you, do leave your comments. I will be more than happy to help you :)

Get a FREE Consultation

Let's build something that lasts.

Share what's on your mind — a clear brief, a half-formed idea, or just a sense that something needs to change. We'll listen first, ask the right questions, and point you toward what's actually worth building.

We take on a handful of projects each quarter,ones where we can truly make a difference.

  • Receive a human response within 24 hours
  • Get a detailed scope and quote upfront
  • We're happy to sign an NDA upon request

    Free 30-Min Strategy Call

    Your Name *

    Your Phone No *

    Work Email *

    Your Budget*

    Project Details *