Create new ssh user account to access specific folder only

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP








up vote
3
down vote

favorite
4












I have an apache2 server running on ubuntu 16.04, for now everytime i access my project files inside a specific folder i use root user for running php function and edit some files, after i finish i need to run chown -R www-data:www-data . inside a terminal, because after i run my php function the file owner will become user:user (root:root). what i need is:



  1. Create new user for my server

  2. When access my server using ssh this user will be inside a specific folder automatically

  3. Grant this user a permission to do anything inside this specific folder

For example, Create a user named tonya, when someone access server using user tonya ssh sonya@server.com, he will be redirected to /var/www/specific_folder, user tonya can do anything inside this folder and when tonya set the php file owner or folder to tonya:www-data it will work like when i set the file owner to www-data:www-data






server permissions ssh apache2 php







share|improve this question























  • See also askubuntu.com/questions/46331/…
    – Panther
    Mar 9 at 5:02














up vote
3
down vote

favorite
4












I have an apache2 server running on ubuntu 16.04, for now everytime i access my project files inside a specific folder i use root user for running php function and edit some files, after i finish i need to run chown -R www-data:www-data . inside a terminal, because after i run my php function the file owner will become user:user (root:root). what i need is:



  1. Create new user for my server

  2. When access my server using ssh this user will be inside a specific folder automatically

  3. Grant this user a permission to do anything inside this specific folder

For example, Create a user named tonya, when someone access server using user tonya ssh sonya@server.com, he will be redirected to /var/www/specific_folder, user tonya can do anything inside this folder and when tonya set the php file owner or folder to tonya:www-data it will work like when i set the file owner to www-data:www-data






server permissions ssh apache2 php







share|improve this question























  • See also askubuntu.com/questions/46331/…
    – Panther
    Mar 9 at 5:02












up vote
3
down vote

favorite
4









up vote
3
down vote

favorite
4






4





I have an apache2 server running on ubuntu 16.04, for now everytime i access my project files inside a specific folder i use root user for running php function and edit some files, after i finish i need to run chown -R www-data:www-data . inside a terminal, because after i run my php function the file owner will become user:user (root:root). what i need is:



  1. Create new user for my server

  2. When access my server using ssh this user will be inside a specific folder automatically

  3. Grant this user a permission to do anything inside this specific folder

For example, Create a user named tonya, when someone access server using user tonya ssh sonya@server.com, he will be redirected to /var/www/specific_folder, user tonya can do anything inside this folder and when tonya set the php file owner or folder to tonya:www-data it will work like when i set the file owner to www-data:www-data






server permissions ssh apache2 php







share|improve this question















I have an apache2 server running on ubuntu 16.04, for now everytime i access my project files inside a specific folder i use root user for running php function and edit some files, after i finish i need to run chown -R www-data:www-data . inside a terminal, because after i run my php function the file owner will become user:user (root:root). what i need is:



  1. Create new user for my server

  2. When access my server using ssh this user will be inside a specific folder automatically

  3. Grant this user a permission to do anything inside this specific folder

For example, Create a user named tonya, when someone access server using user tonya ssh sonya@server.com, he will be redirected to /var/www/specific_folder, user tonya can do anything inside this folder and when tonya set the php file owner or folder to tonya:www-data it will work like when i set the file owner to www-data:www-data






server permissions ssh apache2 php




server permissions ssh apache2 php






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 9 at 2:56

























asked Mar 9 at 2:42









simple guy

1215




1215











  • See also askubuntu.com/questions/46331/…
    – Panther
    Mar 9 at 5:02
















  • See also askubuntu.com/questions/46331/…
    – Panther
    Mar 9 at 5:02















See also askubuntu.com/questions/46331/…
– Panther
Mar 9 at 5:02




See also askubuntu.com/questions/46331/…
– Panther
Mar 9 at 5:02










1 Answer
1






active

oldest

votes

















up vote
3
down vote



accepted










You should be able to accomplish this with



adduser --home /var/www/specific_folder --shell /bin/bash --no-create-home --ingroup www-data --ingroup ssh tonya


  • adduser is used to add a user


  • --home specifies home directory which is where the user will be when they log in


  • --shell is to specify the shell, by default it is usually just /bin/sh which is not as user friendly as /bin/bash


  • --no-create-home will not create the home directory so you must use one that already exists


  • --ingroup adds the user to specified group


  • the last argument is the username


You could make the user jailed using this guide:



  • Restrict SSH User Access to Certain Directory Using Chrooted Jail

Please remember that even if you jail a user, it is very possible to escape a jail. If you're giving a user access to your system, you may as well be giving them root access because once they have shell access, it's almost always possible to gain root. Setting up a jail will most likely keep a basic user from doing anything too harmful but will do little to nothing to stop a malicious user from doing harmful stuff.






share|improve this answer






















  • why there's 2 ingroup? how can this user get my root access?
    – simple guy
    Mar 9 at 4:17










  • one ingroup for ssh and one for www-data, and I'm not saying that they will be able to get root access but you should never allow a user on your system if you don't trust them because once they have shell access on your system, they're 50% the way to root basically. New exploits are discovered daily and because of that, you can never consider a system to be secure.
    – Desultory
    Mar 9 at 15:48










  • @Desultroy when i change my php file owner from www-data:www-data to tonya:www-data it gives me a file permission error , when i try to access the php from browser
    – simple guy
    Mar 14 at 6:41










  • You should probably change the permissions of the file so that it is group based and not owner based. I don't know if php requires the execute permission but it definitely needs the read permission. Permissions can be explained here: help.ubuntu.com/community/FilePermissions
    – Desultory
    Mar 15 at 0:41










Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "89"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1013286%2fcreate-new-ssh-user-account-to-access-specific-folder-only%23new-answer', 'question_page');

);

Post as a guest

















1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
3
down vote



accepted










You should be able to accomplish this with



adduser --home /var/www/specific_folder --shell /bin/bash --no-create-home --ingroup www-data --ingroup ssh tonya


  • adduser is used to add a user


  • --home specifies home directory which is where the user will be when they log in


  • --shell is to specify the shell, by default it is usually just /bin/sh which is not as user friendly as /bin/bash


  • --no-create-home will not create the home directory so you must use one that already exists


  • --ingroup adds the user to specified group


  • the last argument is the username


You could make the user jailed using this guide:



  • Restrict SSH User Access to Certain Directory Using Chrooted Jail

Please remember that even if you jail a user, it is very possible to escape a jail. If you're giving a user access to your system, you may as well be giving them root access because once they have shell access, it's almost always possible to gain root. Setting up a jail will most likely keep a basic user from doing anything too harmful but will do little to nothing to stop a malicious user from doing harmful stuff.






share|improve this answer






















  • why there's 2 ingroup? how can this user get my root access?
    – simple guy
    Mar 9 at 4:17










  • one ingroup for ssh and one for www-data, and I'm not saying that they will be able to get root access but you should never allow a user on your system if you don't trust them because once they have shell access on your system, they're 50% the way to root basically. New exploits are discovered daily and because of that, you can never consider a system to be secure.
    – Desultory
    Mar 9 at 15:48










  • @Desultroy when i change my php file owner from www-data:www-data to tonya:www-data it gives me a file permission error , when i try to access the php from browser
    – simple guy
    Mar 14 at 6:41










  • You should probably change the permissions of the file so that it is group based and not owner based. I don't know if php requires the execute permission but it definitely needs the read permission. Permissions can be explained here: help.ubuntu.com/community/FilePermissions
    – Desultory
    Mar 15 at 0:41














up vote
3
down vote



accepted










You should be able to accomplish this with



adduser --home /var/www/specific_folder --shell /bin/bash --no-create-home --ingroup www-data --ingroup ssh tonya


  • adduser is used to add a user


  • --home specifies home directory which is where the user will be when they log in


  • --shell is to specify the shell, by default it is usually just /bin/sh which is not as user friendly as /bin/bash


  • --no-create-home will not create the home directory so you must use one that already exists


  • --ingroup adds the user to specified group


  • the last argument is the username


You could make the user jailed using this guide:



  • Restrict SSH User Access to Certain Directory Using Chrooted Jail

Please remember that even if you jail a user, it is very possible to escape a jail. If you're giving a user access to your system, you may as well be giving them root access because once they have shell access, it's almost always possible to gain root. Setting up a jail will most likely keep a basic user from doing anything too harmful but will do little to nothing to stop a malicious user from doing harmful stuff.






share|improve this answer






















  • why there's 2 ingroup? how can this user get my root access?
    – simple guy
    Mar 9 at 4:17










  • one ingroup for ssh and one for www-data, and I'm not saying that they will be able to get root access but you should never allow a user on your system if you don't trust them because once they have shell access on your system, they're 50% the way to root basically. New exploits are discovered daily and because of that, you can never consider a system to be secure.
    – Desultory
    Mar 9 at 15:48










  • @Desultroy when i change my php file owner from www-data:www-data to tonya:www-data it gives me a file permission error , when i try to access the php from browser
    – simple guy
    Mar 14 at 6:41










  • You should probably change the permissions of the file so that it is group based and not owner based. I don't know if php requires the execute permission but it definitely needs the read permission. Permissions can be explained here: help.ubuntu.com/community/FilePermissions
    – Desultory
    Mar 15 at 0:41












up vote
3
down vote



accepted







up vote
3
down vote



accepted






You should be able to accomplish this with



adduser --home /var/www/specific_folder --shell /bin/bash --no-create-home --ingroup www-data --ingroup ssh tonya


  • adduser is used to add a user


  • --home specifies home directory which is where the user will be when they log in


  • --shell is to specify the shell, by default it is usually just /bin/sh which is not as user friendly as /bin/bash


  • --no-create-home will not create the home directory so you must use one that already exists


  • --ingroup adds the user to specified group


  • the last argument is the username


You could make the user jailed using this guide:



  • Restrict SSH User Access to Certain Directory Using Chrooted Jail

Please remember that even if you jail a user, it is very possible to escape a jail. If you're giving a user access to your system, you may as well be giving them root access because once they have shell access, it's almost always possible to gain root. Setting up a jail will most likely keep a basic user from doing anything too harmful but will do little to nothing to stop a malicious user from doing harmful stuff.






share|improve this answer














You should be able to accomplish this with



adduser --home /var/www/specific_folder --shell /bin/bash --no-create-home --ingroup www-data --ingroup ssh tonya


  • adduser is used to add a user


  • --home specifies home directory which is where the user will be when they log in


  • --shell is to specify the shell, by default it is usually just /bin/sh which is not as user friendly as /bin/bash


  • --no-create-home will not create the home directory so you must use one that already exists


  • --ingroup adds the user to specified group


  • the last argument is the username


You could make the user jailed using this guide:



  • Restrict SSH User Access to Certain Directory Using Chrooted Jail

Please remember that even if you jail a user, it is very possible to escape a jail. If you're giving a user access to your system, you may as well be giving them root access because once they have shell access, it's almost always possible to gain root. Setting up a jail will most likely keep a basic user from doing anything too harmful but will do little to nothing to stop a malicious user from doing harmful stuff.







share|improve this answer














share|improve this answer



share|improve this answer








edited Mar 10 at 7:46









pa4080

12.3k52256




12.3k52256










answered Mar 9 at 2:47









Desultory

1113




1113











  • why there's 2 ingroup? how can this user get my root access?
    – simple guy
    Mar 9 at 4:17










  • one ingroup for ssh and one for www-data, and I'm not saying that they will be able to get root access but you should never allow a user on your system if you don't trust them because once they have shell access on your system, they're 50% the way to root basically. New exploits are discovered daily and because of that, you can never consider a system to be secure.
    – Desultory
    Mar 9 at 15:48










  • @Desultroy when i change my php file owner from www-data:www-data to tonya:www-data it gives me a file permission error , when i try to access the php from browser
    – simple guy
    Mar 14 at 6:41










  • You should probably change the permissions of the file so that it is group based and not owner based. I don't know if php requires the execute permission but it definitely needs the read permission. Permissions can be explained here: help.ubuntu.com/community/FilePermissions
    – Desultory
    Mar 15 at 0:41
















  • why there's 2 ingroup? how can this user get my root access?
    – simple guy
    Mar 9 at 4:17










  • one ingroup for ssh and one for www-data, and I'm not saying that they will be able to get root access but you should never allow a user on your system if you don't trust them because once they have shell access on your system, they're 50% the way to root basically. New exploits are discovered daily and because of that, you can never consider a system to be secure.
    – Desultory
    Mar 9 at 15:48










  • @Desultroy when i change my php file owner from www-data:www-data to tonya:www-data it gives me a file permission error , when i try to access the php from browser
    – simple guy
    Mar 14 at 6:41










  • You should probably change the permissions of the file so that it is group based and not owner based. I don't know if php requires the execute permission but it definitely needs the read permission. Permissions can be explained here: help.ubuntu.com/community/FilePermissions
    – Desultory
    Mar 15 at 0:41















why there's 2 ingroup? how can this user get my root access?
– simple guy
Mar 9 at 4:17




why there's 2 ingroup? how can this user get my root access?
– simple guy
Mar 9 at 4:17












one ingroup for ssh and one for www-data, and I'm not saying that they will be able to get root access but you should never allow a user on your system if you don't trust them because once they have shell access on your system, they're 50% the way to root basically. New exploits are discovered daily and because of that, you can never consider a system to be secure.
– Desultory
Mar 9 at 15:48




one ingroup for ssh and one for www-data, and I'm not saying that they will be able to get root access but you should never allow a user on your system if you don't trust them because once they have shell access on your system, they're 50% the way to root basically. New exploits are discovered daily and because of that, you can never consider a system to be secure.
– Desultory
Mar 9 at 15:48












@Desultroy when i change my php file owner from www-data:www-data to tonya:www-data it gives me a file permission error , when i try to access the php from browser
– simple guy
Mar 14 at 6:41




@Desultroy when i change my php file owner from www-data:www-data to tonya:www-data it gives me a file permission error , when i try to access the php from browser
– simple guy
Mar 14 at 6:41












You should probably change the permissions of the file so that it is group based and not owner based. I don't know if php requires the execute permission but it definitely needs the read permission. Permissions can be explained here: help.ubuntu.com/community/FilePermissions
– Desultory
Mar 15 at 0:41




You should probably change the permissions of the file so that it is group based and not owner based. I don't know if php requires the execute permission but it definitely needs the read permission. Permissions can be explained here: help.ubuntu.com/community/FilePermissions
– Desultory
Mar 15 at 0:41

















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1013286%2fcreate-new-ssh-user-account-to-access-specific-folder-only%23new-answer', 'question_page');

);

Post as a guest
































































-

Popular posts from this blog

pylint3 and pip3 broken

Image
Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite I have tried sudo apt remove --purge on various packages. I get the same when I reinstall. I have also tried reinstall using aptitude. This does not work. My current workaround is to run pylint3 as root, which works, but is bad practice. pip3 $ pip3 Traceback (most recent call last): File "/usr/lib/python3/dist-packages/pip/_vendor/__init__.py", line 33, in vendored __import__(vendored_name, globals(), locals(), level=0) ImportError: No module named 'pip._vendor.pkg_resources' During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/bin/pip3", line 9, in <module> from pip import main File "/usr/lib/python3/dist-packages/pip/__init__.py", line 13, in <module> from pip.exceptions import InstallationError, CommandError, PipError File "/usr/lib/python3/dist-packages/pip/exceptions.py", line 6, ...
Read more

Missing snmpget and snmpwalk

Image
Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite I have installed Zabbix appliance, directly preinstalled and found that there is missing snmpwalk and snmpget commands. I tried to install it with: apt-get install net-snmp-utils but I have error message: Unable to locate package. I have also check what from SNMP is preinstalled and there is: libsnmp-base libsnmp30:amd64 snmp-mibs-downloader snmpd snmptrapd snmptrapfmt How can I install snmpget and snmpwalk ? snmp zabbix share | improve this question edited Jan 29 at 10:10 Yaron 8,552 7 18 38 asked Jan 29 at 9:51 Alfista 1 apt install snmp perhaps ? If named differently - apt cache snmp – fugitive Jan 29 at 10:00 add a comment  |  up vote 0 down vote favorite I have installed Zabbix appliance, directly preinstalled and found that there is missing snmpwalk and snmpget commands. I tried...
Read more

How to enroll fingerprints to Ubuntu 17.10 with VFS491

Image
Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite I decided to switch from Windows to Ubuntu 17.10, I meet it like 8 years ago and I didn't decided to switch until now (haha). Well, my actual device is an HP Probook 4540s with a Validity fingerprint sensor (VFS491). The fingerprint sensor worked fine on Windows but I can't get it to work in Ubuntu. The device is recognized as 138a:003d but is not detected as a fingerprint scanner by some apps like Fingerprint GUI. I want to use the fingerprint scanner to log in into my user account in Ubuntu but it doesn't supports fingerprints without special software and the drivers of the fingerprint scanner are available for Windows but not for any Linux distribution. I found something on GitHub (https://github.com/eekpie/libfprint) about the integration of the VFS491 in libfprint and I think it can help but I don't know what to do with it, so that's why I need the help of the community to do it since I am...
Read more