Create the sftp user and add it to the deluge group (this will allow him to access to /srv/deluge/):
1
# useradd sftpuser -d /home/sftpuser -G deluge
Modify the sshd config (/etc/ssh/sshd_config) and add this lines:
1 2 3 4 5 6
Match User sftpuser ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no PermitTunnel no X11Forwarding no
Restart the sshd server:
1
# systemctl restart sshd.service
Change chroot directory rights, this is required or sftp won't let you connect. The home directory must be owned as root and not writable by another user or group. This includes the path leading to the directory.
1
# chown root:root /home/sftpuser
You won't be able to connect in sftp if your user has /bin/false shell by it's not defined in the /etc/shells. To disable normal ssh login, add /bin/false in /etc/shells and change sftpuser shell:
1
# usermod -s /bin/false sftpuser
Test ssh access: (access should be refused if /bin/false is used)
1
# ssh sftpuser@localhost -p $SSH_PORT$
Test sftp access: (sftp user should be placed in the chroot environment)
1
# sftp -P $SSH_PORT$ sftpuser@localhost
Create the torrent folder to let sftp user access to deluge download folder:
1
# mkdir /home/sftpuser/torrent
Give the torrent folder the appropriate rights:
1
# chown sftpuser:sftpuser /home/sftpuser/torrent
As sftpuser will be chrooted in his home directory (/home/sftpuser/) he won't be able to access /srv/deluge/Downloads even if he has rights (he is in deluge group) and a symbolic link like ln -s /srv/deluge/Downloads /home/sftpuser/deluge won't work because it is outside the chroot environment. For sftpuser accessing via sftp to the chroot environment, /home/sftpuser/ will be the root directory / so the symbolic link to /srv/deluge/Downloads will in fact be wrong as /home/sftpuser/srv/deluge/Downloads doesn't exist.
We can't directly chroot sftpuser in /srv/deluge/Downloads because that will require to change the /srv/deluge/Downloads/ folder ownership to root:root and so deluge user won't be able to access it anymore.
We must chroot sftp user because letting him access to the whole system would be a security issue.
So we will give sftp user two home directory: one SFTP home that is locked down by root (/home/sftpuser/) and one home he can write to (/home/sftpuser/torrent/) so sshd will be satisfied and the system will remain secure. To do that, we will make the deluge folder (the writable home directory) appear as a subdirectory inside the SFTP home directory:
1
# mount --bind /srv/deluge/Downloads /home/sftpuser/torrent
We can also add this into /etc/fstab to make this configuration permanent even after a reboot: