Configure Chroot SFTP Server in Linux

Learn how to configure a Chroot SFTP server in Linux with our step-by-step guide. Enhance your server’s security by restricting users to their home directories. #centlinux #linux #ftpserver

What is SFTP?

SFTP (SSH File Transfer Protocol) is a secure file transfer protocol. it runs over the SSH protocol and supports the full security and authentication functionality of SSH. SFTP has pretty much replace legacy FTP protocol and much more reliable and secure then FTP.

What is Chroot?

Chroot is an operation that changes the apparent root directory for the current running process and its child processes. The environment is called chroot jail. Users in a chroot jail can not access the files outside the designated directory.

Problem Statement

When multiple users work on a common project, they often requires a common place to share there work with each other. This common place is called a Collaborative Directory. Usually, a collaborative directory is created with no authentication that raises conflicts between users. However, a properly configured collaborative directory can control the authentication/authorization of the legitimate users.

In this article, we will configure a collaborative directory for our users to securely upload/download files to/from the file server via SFTP protocol, and limit the user access to the collaborative directory by using chroot jail environment. Also we will restrict the Shell access using the same credentials that users have for SFTP.

Recommended Training: Secure Shell (SSH) essentials: a hands-on guide from Ahmed Elfakharany.

Linux Server Specification

We have configured a Linux machine with following specification:

• Hostname – fileserver-01.example.com
• IP Address – 192.168.116.42/24
• Operating System – CentOS 7.5

Read Also: Chroot Jail the Apache Web Server in CentOS 7

65W USB C Laptop Charger Replacement for Lenovo Thinkpad/Yoga/Chromebook, ADLX65YDC2A Lenovo Laptop Charger

(1680)

$16.99 (as of May 14, 2025 16:10 GMT +00:00 – More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)

Configure Chroot SFTP Server in Linux

Connect with to the CentOS 7 server using ssh as root user.

sftp is the part of openssh-clients package, which is already installed in almost all Linux distros. Therefore, we don’t have to explicitly install it on our machine, instead we will only configure it according to our requirements.

Create a group for collaborative users.

groupadd -g 1501 dev

Create 3 collaborative users with supplementary group of dev and login shell as /sbin/nologin to restrict shell access by the user.

useradd -u 1001 -G dev –s /sbin/nologin ahmer
useradd -u 1002 -G dev –s /sbin/nologin mansoor
useradd -u 1003 -G dev –s /sbin/nologin danish

Set the home directories of these users as /common.

usermod -d /common ahmer
usermod -d /common mansoor
usermod -d /common danish

Set passwords for the users.

echo 123 | passwd ahmer --stdin
echo 123 | passwd mansoor --stdin
echo 123 | passwd danish --stdin

Create a directory for collaboration and adjust permissions on it according to the requirement.

mkdir -p /chroot/sftp
chmod 555 /chroot/sftp
mkdir /chroot/sftp/common/
chgrp dev /chroot/sftp/common/
chmod 2775 /chroot/sftp/common/

Configure sshd service to handle the collaborative users.

vi /etc/ssh/sshd_config

Search and Comment the following line.

#Subsystem       sftp    /usr/libexec/openssh/sftp-server

Add following lines at the end of the /etc/ssh/sshd_config.

Subsystem       sftp    internal-sftp

Match Group dev
 X11Forwarding no
 AllowTCPForwarding no
 ChrootDirectory /chroot/sftp/
 ForceCommand internal-sftp –u 007

We have set the user mask as 007 to restrict the other users from accessing our files. However, you can adjust the umask according to your requirements.(e.g. if you required that the group members can not change each other files, then you can set the umask as 027).

Save and exit vi editor.

Restart sshd service to apply changes.

systemctl restart sshd

Logitech G305 LIGHTSPEED Wireless Gaming Mouse, Hero 12K Sensor, 12,000 DPI, Lightweight, 6 Programmable Buttons, 250h Battery Life, On-Board Memory, PC/Mac – White

(33295)

$38.99 (as of May 15, 2025 16:15 GMT +00:00 – More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)

Test Chroot SFTP Server

Connect to the fileserver-01.example.com using sftp command.

sftp ahmer@localhost

We have successfully connected to our server using SFTP protocol.

Check working and root directories.

pwd
ls -al /

Output:

Remote working directory: /common
dr-xr-xr-x    3 0        0              20 Sep  9 07:13 .
dr-xr-xr-x    3 0        0              20 Sep  9 07:13 ..
drwxrwsr-x    2 0        1501          163 Sep  9 07:56 common

You can see that the user session is now in a chroot jail environment, and user can not access the actual filesystem from here.

let’s upload a file to the server.

put hosts

Output:

Uploading hosts to /common/hosts
hosts                                         100%  158   244.7KB/s   00:00

List files in FTP directory.

ls -al

Output:

drwxrwsr-x    2 0        1501          176 Sep  9 08:10 .
dr-xr-xr-x    3 0        0              20 Sep  9 07:13 ..
-rw-rw----    1 1001     1501          158 Sep  9 08:10 hosts

After uploading various files from different users, the status of the directory will be:

ls -al /chroot/sftp/common/

Output:

total 32
drwxrwsr-x. 2 root    dev   176 Sep  9 13:10 .
dr-xr-xr-x. 3 root    root   20 Sep  9 12:13 ..
-rw-rw----. 1 mansoor dev  1409 Sep  9 12:50 anaconda-ks1.cfg
-rw-rw----. 1 ahmer   dev  1409 Sep  9 12:48 anaconda-ks.cfg
-rw-rw----. 1 mansoor dev     0 Sep  9 12:10 exports
-rw-rw----. 1 ahmer   dev   506 Sep  9 12:16 fstab
-rw-rw----. 1 ahmer   dev   158 Sep  9 13:10 hosts
-rw-rw----. 1 ahmer   dev  1452 Jun  2 14:56 ldapserver.pem
-rw-rw----. 1 ahmer   dev   925 Sep  9 12:09 passwd
-rw-rw----. 1 danish  dev  2885 Sep  9 12:54 vmware-vgauthsvc.log.0
-rw-rw----. 1 ahmer   dev   813 Sep  9 12:53 yum.conf

Also check that our users can connect using ssh or not.

ssh mansoor@localhost

Output:

mansoor@localhost's password:
This service allows sftp connections only.
Connection to localhost closed.

We have successfully configured a chrooted collaborative directory for SFTP users in CentOS 7 with chroot jail and restricted Shell Access.

Frequently Asked Questions (FAQs)

1. What is a Chroot SFTP Server?

A Chroot SFTP server restricts users to their own directory, preventing them from accessing other parts of the system. This enhances security by limiting their access to only specified folders.

2. Why should I use Chroot for SFTP?

Chroot improves security by isolating SFTP users, reducing the risk of unauthorized access to sensitive system files. It’s ideal for shared hosting or restricted file access scenarios.

3. Do I need a separate user for Chroot SFTP?

Yes, you should create a dedicated user (or users) for SFTP access. Regular system users with shell access won’t be restricted unless properly configured for Chroot.

4. Can Chroot SFTP users access a normal shell?

No, Chroot SFTP users should only have SFTP access (no SSH shell). This is enforced by assigning them a restricted shell (like /usr/sbin/nologin).

5. What permissions are needed for the Chroot directory?

The Chroot directory (and its parent) must be owned by root with strict permissions (e.g., 755) to prevent users from escaping their restricted environment.

Ansible for DevOps: Server and configuration management for humans

(642)

$19.99 (as of May 15, 2025 16:15 GMT +00:00 – More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)

Final Thoughts

Configuring a Chroot SFTP server in Linux can significantly enhance your system’s security by isolating users to their own directories. By following this guide, you can set up a secure and efficient file transfer environment on your Linux server.

Struggling with AWS or Linux server issues? I specialize in configuration, troubleshooting, and security to keep your systems performing at their best. Check out my Fiverr profile for details.