Creating Restricted Users
Note: We’ve had several customers report bugs when setting up the SCPOnly utility recently. We suspect that SCPOnly is not compatible with CentOS 5, the linux distribution we’re using for newer customers. More details as we have them.
For one reason or another, you may want to create users who do not have normal access to your server.
In this example, we’re going to set up scponly so that our user will only be able to add or remove files in their home folder. The user will not be able to see files on the rest of the server. They will not even be able to get to a command prompt on the server- they will only be able to connect through sftp or scp for secure file transfers.
wget http://sublimation.org/scponly/scponly-4.6.tgz
tar vxzf scponly-4.6.tgz
cd scponly-4.6
sed -i -e 's/@PROG_USERADD@/\/usr\/sbin\/useradd/g' setup_chroot.sh.in
./configure --enable-chrooted-binary --enable-scp-compat
make && sudo make install
chmod +x setup_chroot.sh
sudo vi /etc/shells
# add these 2 lines:
/usr/local/bin/scponly
/usr/local/sbin/scponlyc
# setup a new jailed user
sudo ./setup_chroot.sh
# create /dev/null for this user (named scponly in this example)
sudo mkdir /home/scponly/dev
sudo mknod -m 666 /home/scponly/dev/null c 1 3
Optional: make ‘incoming’ the start folder for your user (named scponly in this example)
sudo vi /etc/passwd
#edit the user's home path (the double-slash is important)
scponly:x:1001:1001::/home/scponly//incoming:/usr/local/sbin/scponlycNow your user(s) can connect to the server by scp or by sftp using an SFTP client. They will only be able to see files under their home directory, and will only be able to upload to the incoming directory.