BestHub
Sign in
Information Security 7 min read

How to Securely Set Up a Restricted SFTP Account on Linux Using chroot

Learn step‑by‑step how to create a dedicated Linux SFTP user with chroot confinement, configure group permissions, set up a secure upload directory, adjust SSH settings, and restart the service to ensure the account can only upload files without shell access, following the principle of least privilege.

Lin is Dream
Lin is Dream
Lin is Dream
How to Securely Set Up a Restricted SFTP Account on Linux Using chroot

Configuring a Dedicated SFTP Account on Linux

After reading the previous article on the differences between SFTP and FTP, this guide explains how to set up an SFTP account on a Linux server. The goal is to allow an external company to upload files to a specific directory while preventing any other access.

You don’t want the external user to wander around the whole server, right?

The requirements are:

Access only a designated folder

Cannot view other files on the server

Can only upload files, not execute commands or log in via SSH

To achieve this, we use Linux’s chroot mechanism.

What is chroot?

chroot (change root) creates a “wall” that makes a user think the directory they see is the entire filesystem. In practice, the user is confined to /home/sftp-user instead of the real / root.

How to Configure SFTP User Permissions

1. Create a user group and a user (no shell login)

# Create a dedicated sftp user group
groupadd sftpusers
# Create a user that can only use sftp and cannot log in to the system
useradd -m -g sftpusers -s /sbin/nologin sftpuser
The -s /sbin/nologin option ensures the user can only use SFTP and cannot log in via SSH.

2. Create the upload directory and set permissions

mkdir -p /data/sftp/upload
chown root:root /data/sftp   # chroot root must be owned by root and not writable
chmod 755 /data/sftp
chown sftpuser:sftpusers /data/sftp/upload
The chroot directory ( /data/sftp ) must be owned by root without write permission; otherwise SFTP will reject the connection.

3. Edit the SSH configuration to enable SFTP chroot

Open /etc/ssh/sshd_config and add at the end:

Match Group sftpusers
    ChrootDirectory /data/sftp
    ForceCommand internal-sftp
    X11Forwarding no
    AllowTcpForwarding no
Match Group applies the settings only to the specified group; ChrootDirectory defines the visible directory; ForceCommand forces the internal SFTP subsystem; X11 and TCP forwarding are disabled for security.

4. Restart the SSH service

sudo systemctl restart sshd

Now the sftpuser is confined to its own directory space and can only upload files to /upload. Even if the credentials are leaked, the rest of the server remains secure.

Testing the Setup

sftp sftpuser@your_server_ip
# After password prompt
sftp> cd /
sftp> ls
sftp> upload   # only the upload directory is visible
sftp> cd ..
sftp> ls      # nothing else is listed

Important Tips

Connection closed – Ensure the chroot directory is owned by root and has no write permission.

Cannot upload files – Set the upload directory ownership to the SFTP user.

User can still SSH – Verify the user’s shell is set to /sbin/nologin.

The best practice for server management is the principle of least privilege.

In the next article, we will continue with SpringBoot integration of SFTP for remote file transfer (including full code) .

Conclusion

By following the above configuration, we have created a production‑grade SFTP account that meets security requirements.

LinuxSystem AdministrationSSHSFTPchroot
Lin is Dream
Written by

Lin is Dream

Sharing Java developer knowledge, practical articles, and continuous insights into computer engineering.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment