Restricting access to a directory for a user is a challenging task, nigh on impossible if you want security. In order to give a user access to a single directory, the folder itself and all parent folders above it in the hierarchy must be owned by root. This means they cannot be writable by anyone else, hence our problem.

The way you give a user restricted SFTP access to one directory is simple. You don’t give them access to the home directory:


Instead, we keep restricted access within the root of the server’s filesystem. You create a folder like so:

sudo mkdir -p /var/example

You can then set the owner of /var/example to root:

sudo chown root:root /var/example

Now that this directory is owned by root, you can give the give root write permissions and give other users read and execute permissions with this command:

sudo chmod 755 /var/example

Now create the subdirectory which will be owned by the new user. This is where the user will be able to upload files:

sudo mkdir -p /var/example/uploads

Then change the ownership rights of the subdirectory to your new user:

sudo chown newuser /var/sftp/uploads

Set up the ssh_config so that you can use SFTP as the new user:

sudo nano /etc/ssh/sshd_config

Then add the following to the bottom of the file:

Match User newuser
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /var/example
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no

The problem I ran into is that I wasn’t able to access these files from my home directory /var/www/html

The solution is to create a crontab using the following command – this will open the crontab file:

crontab -e

Then in the file, you can use a cronjob to move the file to the desired directory within the home directory:

0 6 * * * /bin/mv /var/example/uploads/file.html /var/www/html/path/to/directory

Press CTRL + C to leave the directory and your cronjob is now set up.

This is the workaround I went with… Maybe it’ll help you too!