# Restrict ssh access to only one directory

## tommy_fila

I can't seem to figure out how to do the following:

I have a game server running on my computer, and I'm letting other people use it. They have asked repeatedly if they could get ssh access to the server, so they can make changes whenever they want to without having to contact me. So now I'm trying to set up ssh in order for them to have access. However, I obviously don't want them to mess around on my computer. To be more specific, I only want them to have access to one directory (/home/server). I don't want them to be able to look at or change anything else. Also, I don't want them to be able to open any programs except a very simple editor to edit configuration files. One thing I do want them to do is upload files (e.g. maps for the game server) into the directory.

I hope this gives people an idea of what I want. Any ideas on how I can accomplish this? I've read some things about "chroot", but I couldn't find any good documentation or guides.

Thanks in advance for the help.

----------

## yaneurabeya

chroot jail? Be wary though what programs that have access to even in the jail ~_~...

----------

## tommy_fila

I have no idea what that means. If you want to help, please be more specific. I need a somewhat detailed outline of what exactly I need to do. Your post doesn't get me any further.

----------

## dejima

You can take a look @ 

http://www.jmcresearch.com/projects/jail/.

I don't if this is a very good implementation of the chroot jail but it sure explains the philosophy of the chrooted enviroments.

----------

## servo888

 *tommy_fila wrote:*   

> I can't seem to figure out how to do the following:
> 
> I have a game server running on my computer, and I'm letting other people use it. They have asked repeatedly if they could get ssh access to the server, so they can make changes whenever they want to without having to contact me. So now I'm trying to set up ssh in order for them to have access. However, I obviously don't want them to mess around on my computer. To be more specific, I only want them to have access to one directory (/home/server). I don't want them to be able to look at or change anything else. Also, I don't want them to be able to open any programs except a very simple editor to edit configuration files. One thing I do want them to do is upload files (e.g. maps for the game server) into the directory.
> 
> I hope this gives people an idea of what I want. Any ideas on how I can accomplish this? I've read some things about "chroot", but I couldn't find any good documentation or guides.
> ...

 

I'm trying to do the same thing! But from what I gather the chroot jail might not be the best way to doing this... Let me explain the idea behind the chroot jail - you have a user login via ssh, ssh will run a script that puts the users home directory into a chroot environment (from which you shouldn't be able to exit out of, so your wont be able to distroy anything). The problem is that it's not much of a jail if the user can simply 'exit' from =\... I've been trying to figure this out for a while now - but good tutorials are rare these days.

----------

## kloune

Have a look at jail. Here as already said : http://www.jmcresearch.com/projects/jail/, it's not really a script. The user can't really escape, because the jail program is it's login shell. And if you give the user only things like ls and so on, it's not really a problem.

----------

## rex123

Maybe what you really want is an ftp server?

----------

## solomonHk

I'de say jail shell is the best way to go.

----------

## tommy_fila

Allright, lets bring this topic back to life.

So I tried jail for a while, but it really didn't do it for me. It's a pain having to install every program into the chrooted shell. What I'm trying to do now is just create another user and make the server directory his home directory. I realize that the user will be able to move outside his home directory, but what I didn't realize is that they could read everyone's files. Is there any way I can restrict the new user to only being able to read his own files, and not anyone's elses? This really shouldn't be that difficult.

----------

## yaneurabeya

 *tommy_fila wrote:*   

> Allright, lets bring this topic back to life.
> 
> So I tried jail for a while, but it really didn't do it for me. It's a pain having to install every program into the chrooted shell. What I'm trying to do now is just create another user and make the server directory his home directory. I realize that the user will be able to move outside his home directory, but what I didn't realize is that they could read everyone's files. Is there any way I can restrict the new user to only being able to read his own files, and not anyone's elses? This really shouldn't be that difficult.

 

Modify the permissions so that the group for the user will be "nobody" and that the username isn't used by any of your other users, ie special_ftp:nobody for example  :Smile: . Make sure that he isn't in any other groups as well... (ie 'users')

----------

## tommy_fila

How can I modify the group to be "nobody"? I already tried creating another group, and make the user only member of that group, but it still doesn't work. Do I have to change something about the group permissions?

Thanks for helping.

----------

## tommy_fila

Allright, I think I see what you meant. I added my user to the "nobody" group, but they can still look at everyone else' files. This is really strange. What can I do?

----------

## yaneurabeya

```
/usr/sbin/adduser -g nobody [username]
```

usermod also suffices too if you already have an account setup...

```
/usr/sbin/usermod -g nobody [username]
```

----------

## tommy_fila

See above post. I tried that, to no avail.

----------

## yaneurabeya

 *tommy_fila wrote:*   

> See above post. I tried that, to no avail.

 

Ah, silly me. I knew that would probably come up. Make sure that all of the files that you _don't_ want people to see aren't world readable/writable, ie the permission's 0770 or 0750. I forget how to set this to be the default create permission, but it has to deal with some environments to some level...

----------

## tommy_fila

So I can apply those two permissions to all my files?

----------

## yaneurabeya

Yup, and if your user's group is strictly set to 'nobody' and the files are not owned by the 'nobody' group, then yes they won't be able to read the files  :Smile: . Good luck!

----------

