[GUIDE] SFTP Selective remote folder access to certain users

  • SFTP Selective remote folder access to users

    SFTP is file transfer protocol that works over ssh. Comes bundled with openssh-server package. The default settings can let you access your whole rootfs and media drives as root or any other user that's in the ssh group. This guide covers how to setup ssh in way that you can specify custom folders to be the only ones users have access through the SFTP. This is done by creating chroot jails defined in the sshd_config. For putting custom folders will create a general sftp folder, and inside will mount bind all folders we want for a particular user to have access.

    Warning: 90% of this guide is CLI commands.

    What you need:

    • OMV 2.0 (This should work in earlier versions 1.0, 0.5 and below but it hasn't being tested)
    • SSH service
    • tree (optional: apt-get install tree)
    • Terminal console (or putty in windows environment)

    Getting Started

    First we need to disable the general sftp subsystem that comes enabled by default. Since omv defaults rewrites everything after we make a change in the ssh service we need to attack this by defining and environmental variable.

    nano /etc/default/openmediavault

    Place at the end of the file this two lines

    OMV_SSHD_ALLOWGROUPS="root ssh sftp-access"

    Run service openmediavault-engined restart && omv-mkconf ssh && service ssh restart

    Then we create the group sftp-access in the webui panel and add the user1 and user2 as members, we check in terminal.

    root@vm-omv:/# getent group sftp-access

    Now lets create our two users chroot folders

    mkdir -p /sftp/{user1,user2}

    is important that this two folders are owned by root and no one else has write access

    chown root:root /sftp/{user1,user2}
    chmod 755 /sftp/{user1,user2}

    Now lets say we have four folders at /media/<uuid>/ , Documents, Videos, Pictures and Music.


    We want user1 to have access to all four folders and user2 just to Documents
    In the /sftp folder we do

    mkdir -p /sftp/user1/{Documents,Music,Pictures,Videos}
    mkdir -p /sftp/user2/Documents

    We edit /etc/fstab and we add at the end this

    Change the uuid and folders according to your setup.

    Run mount -a, confirm all folders are mounted with mount | grep 'user1\|user2'


    You can check then the structure with tree /sftp -fpug


    As you can see, if you create a file in the original directory it will show up in the sftp directory. This is a mount bind, an alternate view of the original directory tree, this time replicated in another point of the / filesystem

    Now this time we go to the ssh configuration panel in the OMV webUI an at the extra options we add

    Match Group sftp-access
            ChrootDirectory /sftp/%u
            ForceCommand internal-sftp

    It should look like this


    Now lets check from another lan client if is working


    You can also use filezilla, cyberduck, winscp or any client that supports sftp to access from a Desktop.


    • Ssh provides absolutely no read-write control over the files using the login as samba or ftp do, the show or not show directory is done at the fstab mount. If you want to restrict write access to some users for read only you will need to go to basic POSIX permissions.
    • The ForceCommand directive forbids access to the ssh console to those users in the defined group. Users in the ssh groups should not be affected by this and have full root filesytem access in sftp an in ssh.
    • You cannot create folder in chroot top level folder using sftp, as we did in the beginning both chroot folders user1 and user2 don't have write access, thus folder or file creation|upload is denied . In the bind folders everything should work as expected
    • You cannot use scp command in this setup for the users defined in the group sftp-users
    • You can use ssh keys for a more secure access if you want. Those can be added at each user web panel.
    • If you want remove access to folder for a user, do not attempt to remove the folders at /sftp/<user>/ without un-mounting the binds, otherwise YOU'RE GOING TO LOOSE DATA. You can unmount with umount /sftp/user1/Documents  for example and delete the specific fstab entry.

    Questions / Problems / Discussions
    Click here to get to the discussions thread

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!