Restrict SFTP user to run only limited set of commands/action in Linux

Question

How to restrict SFTP users to run only limited set of commands/actions.

For users connected to shell there is a option to configure restricted shell. Once done user can run only allowed commands. e.g. User1 can only execute cat, touch, more, ls commands.

But how to accomplish this for users not connected to shell (e.g. user connected to Linux via SFTP with WinSCP). For example, I need to restrict their actions to a read action or deny from using delete action.

Martin Prikryl · Accepted Answer · 2019-04-30T13:15:38.950

2

You can run the SFTP server in read-only mode using -R switch:

Match user Users1
    Subsystem sftp internal-sftp -R

Or you can restrict individual operations using -P switch.

For example, to disable deleting, you can do:

Match user Users1
    Subsystem sftp internal-sftp -P remove,rmdir

(Though note this won't prevent user from overwriting existing files)

edited Apr 30 '19 at 13:15

answered Apr 30 '19 at 08:44

Martin Prikryl

2,186
15
21

Restrict SFTP user to run only limited set of commands/action in Linux

1 Answers1