sharing resources yes – but allowing anyone to access all files – and be it only in read mode – of your operating system – sounds adventurous.

so you might want people to be able to securely up nad download files via sftp (is basically ssh) to their home directories – but not „escape“ from there and list /home or / or even access other people’s home directories.

this can be done by

1. limiting ssh for certain users to sftp only

2. make user chroot into their home

# you might want to open up a second connection and monitor what is going on in the log files:
tail -f /var/log/auth.log

vim /etc/ssh/sshd_config; # open up main sshd service config file

# add those lines

Match User user
    ChrootDirectory /home/user
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp
ESC :wq # save changes and quit

service ssh restart; # restart ssh service so changes take effect

chown root:root /home/user/; # otherwise chroot complains fatal: bad ownership or modes for chroot directory "/home/user"
chmod 755 /home/user/; #

# but: this will run you into "Could not update ICEauthority file /home/user/.ICEauthority"
# if you are running gnome2 with xauth on the server (probably not :-D except if it's an test-server)

# per default user rights are like this:
# the user user has it's own group users and completely owns this directory
/home$ ll
total 4.0K
drwxr-xr-x 24 user user 4.0K May 11 10:05 user

# fixed the problem
# 1. make root own all user directories
# 2. but at the same time give the user's own group write access to user's home directory

root@debian:~# chown root:user /home/user
root@debian:~# chmod g+w /home/user

now your users should be able to connecto to your server and sftp-up and download stuff. but not be able to leave their home-directories e.g. with the very very exellent – best ssh client on the planet: mobaXterm – rock on! 🙂

creditz:

https://serverfault.com/questions/584986/bad-ownership-or-modes-for-chroot-directory-component

Links:

http://dwaves.de/2017/05/11/could-not-update-iceauthority-file-homeuser-iceauthority/

admin