Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

soliddigital's avatar

How to allow another user to access web root through SFTP?

I have created a server on DigitalOcean and have successfully added second user. That user can access /home/ and all folders in it, but I would like to limit that user to only specific web root folder. My configuration is:

  • Ubuntu 20.04.1 LTS
  • website with "Website Isolation"
  • password login through SSH disabled (except for mentioned user)
  • isolation name is klanten, same is group name that has access to files and folders

Added this to the bottom of /etc/ssh/sshd_conf:

Match User username
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /home/klanten/klanten.example.com
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no

then:

$ sudo systemctl restart sshd
$ sudo adduser username
$ sudo usermod -G klanten username
$ sudo chmod g+w /home/klanten/klanten.example.com

Problem was that ChrootDirectory was apparently wrongly set because despite correct password, I was logged out immediately. When I changed that to ChrootDirectory /home, user was able to login successfuly, but the username sees all websites, files and folders. He can only read and write to /home/klanten/klanten.exmaple.com, but I want that folder to be user's root folder when they log in through sFTP.

Some other (hopefully useful) data:

$ ls -ldh /home
drwxr-xr-x 8 root root 4.0K Jan 22 10:28 /home
$ ls -ldh /home/klanten
drwxr-xr-x+ 7 klanten klanten 4.0K Jan 21 21:58 /home/klanten
$ ls -ldh /home/klanten/klanten.example.com
drwxr-xr-x 2 klanten klanten 4.0K Jan 21 21:58 /home/klanten/klanten.example.com
$ ls -ldh /home/username
drwxr-xr-x 3 username username 4.0K Jan 22 11:13 /home/username

I did read other topics related to this one and only partially useful was this one: https://laracasts.com/discuss/channels/forge/granting-access-to-forge-site-folder-to-additional-sftp-user But I can't find anywhere on how to force the root folder for specific user, so that they won't be able to browse through entire server.

Any help from experts would be really appreciated!

0 likes
1 reply
soliddigital's avatar

After a lot more digging around, I have a solution that works for now, but I am not really happy with it. Ideally user would only see files inside web root folder and should not be able to go to parent folder. Maybe in the future I will also switch this for a normal FTP server, since they should be easier to configure.

So, the solution is to create user's home folder, "jail lock" user to that folder, create new folder inside user's home folder and mount the web root folder to that new folder. Update permissions and that's it. Oh, and also take care when server restarts, that folders mount again, otherwise user will see empty folder.

Code, for future readers:

# edit SSH config file
$ sudo nano /etc/ssh/sshd_config
# add this to the bottom of file ... the `include` directive does NOT work
Match User [username]
  # force user to use SFTP only and change their directory to desired one
  ForceCommand internal-sftp -d /[folder name]
  # allow password auth for this user only
  PasswordAuthentication yes
  # user's root folder (must have root:root privileges, otherwise user can't log in)
  ChrootDirectory /home/[username]
  PermitTunnel no
  AllowAgentForwarding no
  AllowTcpForwarding no
  X11Forwarding no

# restart SSH service, so that it picks up updated config file
$ sudo systemctl restart sshd

# create new user
$ sudo useradd -d /home/[username] -s /sbin/nologin -g [isolation group] -m [username]
# create password for that user
$ sudo passwd [username]
# give write permissions to the group (should be there already but didn't work, needed to do this)
$ sudo chmod g+w /home/[isolation group]/[website root]
# create a folder which will be shown in user's FTP client
$ sudo mkdir /home/[username]/[folder name]
# user's root folder (must have root:root privileges, otherwise user can't log in)
$ sudo chown root:root /home/[username]
# mount web root to created folder
$ sudo mount -o bind /home/[isolation group]/[web root] /home/[username]/[folder name]

# re-mount folders when server restarts
$ sudo nano /etc/fstab
/home/[isolation group]/[website root] /home/[username]/[folder name] none bind 0 0

Please or to participate in this conversation.