"Chroot" means "change root". An SFTP chroot is a security configuration for the SSH service that confines SFTP users to a specific directory on the server. For them, this directory becomes the system root (
/), and they cannot navigate to or see files outside of this "jail".
Why use an SFTP chroot?
- Security: This is the main reason. You grant access to a server for file transfers without exposing your entire system tree.
- Privacy: Isolates users from one another. Each user only sees their own environment.
- Simplicity for the user: The user is not overwhelmed by the server's complex filesystem tree.
Prerequisites
- A Linux server (Ubuntu/Debian, CentOS/RHEL, etc.).
- Root access or sudo privileges.
- The OpenSSH Server service is installed and running.
Configuration
Step 1: Create a group for SFTP users
It is recommended to manage SFTP users through a dedicated group.
sudo groupadd sftp_usersStep 2: Create a user and their directory
We are going to create a new user, for example `laura`, who will be restricted to SFTP.
# Create the user without an interactive shell and add them to the sftp_users group
sudo useradd -m -G sftp_users -s /sbin/nologin laura
# Set a password for this user
sudo passwd lauraStep 3: Prepare the chroot tree
This is the most important step and the source of many errors. The permission structure is very strict.
# Create the directory that will serve as the jail
sudo mkdir -p /sftp/laura
# The root directory of the jail MUST be owned by root
sudo chown root:root /sftp/laura
# Permissions must NOT allow write access for the group or others
sudo chmod 755 /sftp/laura
# Create a subdirectory where the user will be able to write files
sudo mkdir /sftp/laura/uploads
# Give ownership of this directory to the user
sudo chown laura:sftp_users /sftp/laura/uploadsIf the chroot root directory (
/sftp/laura) is writable by the user, SSH will refuse the connection for security reasons. It must be owned by root.
Step 4: Configure the SSH service
Edit the /etc/ssh/sshd_config file to enable chroot for our group.
sudo nano /etc/ssh/sshd_configAdd this block at the very end of the file:
# Rule for the sftp_users group
Match Group sftp_users
# Apply the chroot to the specified directory (%u is replaced by the username)
ChrootDirectory /sftp/%u
# Force the internal SFTP command (disables shell access)
ForceCommand internal-sftp
# Disable tunneling features, not needed for SFTP
AllowTcpForwarding no
X11Forwarding no
Step 5: Restart the SSH service
Apply the changes by restarting the SSHD service.
sudo systemctl restart sshdTesting the connection
From a client machine, try to connect via SFTP.
sftp laura@your_server_ipOnce connected, you should be in the root directory (which is actually /sftp/laura). You will not be able to move up the tree (cd .. will fail). You should only be able to write in the uploads directory.
sftp> pwd
Remote working directory: /
sftp> ls
uploads
sftp> cd uploads
sftp> put my_file.txt
Uploading my_file.txt to /uploads/my_file.txt
Your user is now confined to their directory, protecting the rest of your server.
Conclusion
Setting up an SFTP chroot is an essential skill for any system administrator. It represents an excellent balance between the need to provide access for file transfers and the imperative to secure the underlying system. The key to success lies in the rigorous management of directory permissions.
Comments