Restricting a sftp user to a particular directory

Similar Messages

• How do I restrict an sFTP user to just their home folder?

  Today I setup a user for on my Mac specifically for someone to sFTP files to my computer.
  I tested the connection on another computer on the network, it worked OK but I quickly realised that after logging in via an FTP client, I could got to the root dir and start to navigate around other folders, getting to other home directories, download photos etc.. all of which I dont want the user to do.
  I would like the FTP user to login, and only see their home directory, nothing else.
  the root shouldnt show any files for example.
  I have tried to lock things down and its a bit better, ensuring that a lot of the folders have owner only permissions, and group write only.
  However there are some folders that cannot be locked down by default.
  /Applications
  For example, any user can read any file in that folder, even if the user is only intended to FTP files.
  i have tried changing the group the user belongs to (changing it from 'Staff' to 'Nobody') but it doesnt seem to make a difference.
  Hope someone can help me with this please, perhaps there is a better way. I have not used any terminal commands in what I have done, everything has been  via the GUI (which I guess should be sufficient).

  Thanks Linc,
  that has helped a lot.
  Here is what I have done for the record:
  1) opened the sshd_config file in /etc
       sudo vi sshd_config
  2) added the following lines to the very bottom of the file:
  Match User MYUSER
  # The following two directivces force klm to become chrooted
  # and only have sftp available. No other chroot setup is required
  ChrootDirectory /Users/MYUSER/
  ForceCommand internal-sftp
  # For additional paranoia, siallow all types of port forwardings
  AllowTcpForwarding no
  GatewayPorts no
  X11Forwarding no
  3) Saved the file and tried to reconnect
  4) My FTP Software (on another computer on the network) wouldnt connect! I kept getting an error message:
       Error: Server unexpectedly closed network conection
       Error: Could not connect to server
  5) I opened up the "Console" program and looked at the secure.log under /var/log and saw the following entry:
  Aug  2 10:28:57 rmlloyd-imac sshd[6590]: fatal: bad ownership or modes for chroot directory component "/Users/MYUSER"
  This made me realise that it was someting to do with permissions on the home folder, but I still dont quite appreciate why the user logging in doesnt have permissions to its own folder as a root.
  6) Some searching on the internet yielded something like the perfect answer, that a home directory cannot be set as a chroot directory.
  So I changed the ChrootDirectory to:
  ChrootDirectory /Users
  7) Attempt to login with sFTP again works! What I see is the root appears to be the contents of /Users
  Conclusion
  This is much much better than the situation I was in originally, I can set access permissions to the home directories, but the ftp user still sees them. Its not perfect but it nearly is.
  I really wish I didnt have to mess around in the terminal though, as fun as it is, a check box added by apple to the user UI would do the job much easier. e.g.
  "Restrict user to home folder only" - makes the home folder the root
  "Restrict user to the following activities" - then have check boxes for sFTP etc...
  Then the apple UI can write to the sshd_config for me .
  All in all, I am very pleased and have learnt a fair bit from setting this up, so thanks to those that replied and I hope this information helps someone else one day.

• ASA WebVPN - restrict access to users in an AD group via ACS

  Hi folks.
  I'm doing an WebVPN pilot on one of our ASA's (running 7.2.2). Everything is working fine, but I've been asked to restrict access to users that are members of a certain Active Directory group (lets call the group "VPNTEST")
  Right now the ASA does radius auth against out ACS 4.x appliance, which has an external database mapping (via the ACS remote agent) to our Windows active directory domain.
  Currently there are only two groups in ACS, the Default (which we use for Wireless authentication) and the "Operations" group, which we use for TACACS auth for the network.
  I can create a group in ACS that maps to the AD VPNTEST group, but where/how do I restrict WebVPN access to just members of that group? Is it a setting on the ACS or the ASA?

  Try using the following to tie users to certain group policies:
  Using a RADIUS Server
  Using a RADIUS server to authenticate users, assign users to group policies by following these steps:
  Step 1 Authenticate the user with RADIUS and use the Class attribute to assign that user to a particular group
  policy.
  Step 2 Set the class attribute to the group policy name in the format OU=group_name
  For example, to set a WebVPN user to the SSL_VPN group, set the RADIUS Class Attribute to a value
  of OU=SSL_VPN; (Do not omit the semicolon.)

• Urgent!doubt in upload the file to a particular directory.

  Hi
  Actually i'm developing a site using JSP.
  Main concept of the project is the user should be
  able to access his files or dabases from anywhere
  in the world thru internet via intranet.
  i've placed upload option in my site.
  each user should b given a separate directory.
  can anyone tell me how to make the user to store
  the file in a particular directory(the one alloted to him).
  And to view the file, if the user enters the file name
  it should open the file in the particular format.
  i need the coding since i'm new to jsp.
  can anyone help me or refer any site tht can solve
  my problem?
  thanx in advance.

  I'd just answered a similar case. I believe this is what you are looking for;
  <%@ page contentType="MIME-Type; Charset=Character-Set" %>
  Read up on MIME-Type and Character-Set for info.
  Here some exmaple;
  By default:
  <%@ page contentType="text.html; Charset=ISO-8859-1" %>
  Show an MS Excel file;
  <%@ page contentType="application/vnd.ms-excel" %>
  or
  <%
  String mimeType = "application/vnd.ms-excel"
  response.seContentType(mimeType);
  %>
  Cheers

• Is there a way to list the contents of a particular directory?

  Hi,
  I'm creating the blue-print of a new iPad app and was wondering if there was a way to request the contents of a particular directory (eithre local to the device or a a particular directory on the web) and also get the "type" of each item.
  For example if inside a directory "Directory1" and inside that directory I have 4 files and another directory, (file1.gif, file2.txt, file3.mov, file4.mp3, Directory2)
  Is there a way to request the contents of Directory1 and the type of files they are?
  The ideal thing will be to get a recursive request and get an array of contents of all directories inside a particular directory.
  something like:
  Directory1[file1a.gif,file1b.txt,file1c.mov,file1d.mp3,[Directory2[file2b.mov,fi le2b.mp3]]]
  What I want is to create a navigation for the user based on the resultant strign.
  Am I re-inventing the wheel here?
  Any direction will be greatly appreciated. I rather adjust blue-print now based on what is possible.
  Thanks!

  We are users here. You might have better luck going to the developers forum.
  http://developer.apple.com/devforums/
  There are also links on that page that may help too.

• How can I encrypt a particular directory and not Home?

  I have a work iBook that I use for travel and I'd like to encrypt a particular directory instead of my whole Home directory. Can this be done? If so, how?
  If I NEED to use File Vault on my home directory, does this slow down non-work things like making DVDs, working with Photoshop, playing games, etc?
  What if I made another user, like Work, and used File Vault on that? I guess that would work, but could I access a file while I'm logged in as Home?
  Thanks,
  Tom

  >Re: 1: So, basically what I'm doing is creating another partition...but an encrypted partition, right?
  Not a partition, per se. While a disk image looks and acts like a partition in some respects (you can mount it at the desktop, copy files to/from it, etc.), it's actually just a file on disk, which means you can copy the disk image to another machine, open it up and get it's contents (password-protection notwithstanding, of course). Partitions cannot be moved from machine to machine (or from disk to disk)
  Also, if you create the disk image as a sparse image, it only takes up the amount of space consumed by the files within it. This means that if you create a 1GB image but only copy 100MB of data into it, it'll take up 100MB of space on disk (plus a little overhead). Compare that to a partition that will take 1GB on disk, even when it's empty.

• User profiles from Active directory when loggedin then userdisplay, useredit shows blank white screen in SharePoint 2013

  User profiles from Active directory when loggedin then userdisplay, useredit shows blank white screen in SharePoint 2013 
  I can login with the these AD users and AD direct import is working just fine. We are not using UPS.
  With admin user when I click on the user it shows up proper data. But when I login with the same user it does not show me userdisplay/useredit and shows blank data. Also another strange thing is when I add new item in list with these AD users created by
  modified by is blank and its really strange. I checked user information list, tried to rerun user sync with direct AD import option but no success.
  MCTS Sharepoint 2010, MCAD dotnet, MCPDEA, SharePoint Lead

  Hi Amit,
  According to your description, my understanding is that the page is blank when the use accessed /_layouts/15/userdisp.aspx and the created by field was blank when the user created a new list item in SharePoint 2013.
  I tested the same scenario per your post, however I cannot reproduce your issue.
  For troubleshooting this issue, I recommend to verify the things below:
  Check the permission of the user in the corresponding site collection to see if he can access /_layouts/15/userdisp.aspx.
  Delete the user from AD and SharePoint, then re-add the user to AD and grant proper permission to the user in SharePoint to see if the issue still occurs.
  Did this issue occur with all the users? Add a new user in AD and test the same scenario.
  Best regards.
  Thanks
  Victoria Xia
  TechNet Community Support

• How can I authenticate a User In Windows Active Directory?

  I need to authenticate a user in Windows Active Directory, but I found use the code below will return true if the user name and password are both correct and false if one of them is wrong. But when I input a user name which is not exist in Active Driectory with a blank password, it will also return true. What shall I do? Ask every user must input a password withnot blank?
  Please give me some help to solve this problem. Thanks a lot.
  Code:
  private Context ctx = null;
  Hashtable env = new Hashtable ();
  boolean isValid = false;
  try {
  this.setEnvironmentProperties();
  String domainName = AuthenticateResources.getString("mydomain.com");
  //set the name of domain with the user name
  String fullName = name + "@" + domainName;
  env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
  env.put(Context.PROVIDER_URL,"ldap://mydomain:389");
  env.put(Context.SECURITY_AUTHENTICATION,"simple");
  //set user related information
  env.put(Context.SECURITY_PRINCIPAL, fullName);
  //set user password
  env.put(Context.SECURITY_CREDENTIALS, password);
  //validate user
  ctx = new InitialDirContext(env);
  isValid = true;
  }catch (AuthenticationException ex){
  isValid = false;
  catch (NamingException ex) {
  throw ex;
  }finally{
  this.freeContext();
  return isValid;

  This is usually a problem if Anonymous Binding is enabled. I have faced this in other Directory Servers, but I am not familiar with Active Directory.
  I think by default Active Directory disables Anonymous Binding, but you may want to check.

• How to check if a user has a particular role in sql server

  Is it possible to check to see if a user has a particular role in sql server? For instance, I need to check to see if the user logging in has wite ability to the database. Thanks in advance.

  To answer your question from a Java-perspective, since this is a Java-forum: No.
  The JDBC 3.0 specification does not state that the driver has to implement a user credential mechanism.
  However, the DriverManager will throw an SQLException if user credentials are not met at all and the Connection should throw you a SQLException when trying to create or execute a statement that you are not alowed to do.

• Restrict PR/PO/GR for a particular company code from particular date

  Hi Experts
  How we can restrict PR/PO/GR for a particular company code from a particular date?
  I know PR is not directly linked with company code
  PO can be restricted by deactivating the assignment between company code & plant
  GR- we can use posting period option.?
  Suggest me the best solution for the above requirment.
  Thanks/karthik

  hi
  Obvoiyusly , you can stop the company code posting by not activating the month end closing of periods (MMPV) in MM and similarly in FI ( OB52).
  By removing the assignment you can stop PO creation for the company code but you need to ensure that all the old, un-finished PO/SA and other related activities are taken care off before that.
  Regards

• Moving Mail Users from a Local Directory to Open Directory

  Hi,
  We have been running a standalone mail server for a few years. We have recently upgraded to 10.5 for all of our servers. We have also been running an Open Directory server for the last year or so. Now I am trying to move my email users from the Local Directory on the Mail server to the LDAP server. Obviously we do not want to change account names, so I find I need to delete the local user and then enable the user through the LDAP. This works fine, but I need to bring the original IMAP files/folders forward.
  My question is what is the best practice? I thought backing up the Mail folder in each user's Library and reimporting it would work, but it won't take the IMAP mbox (I can see all the .emlx files in the backup of the user's Mail folder).
  So again, I had a user called user1 in my mail server Local directory say server1. I also have an Open Directory server2 with the same username on it. I have bound server1 to server2. I can see the server2 (OD) accounts on the server1 (mail). I then need to delete user1 from Local server1 directory in order to enable mail to user1 from the OD. This does work, but again, I need bring the mail files/folders to the new OD account on server1.
  thanks,
  mike

  Tony,
  Let me check of the migration manual, thank you!
  I really thought this was going to easier than this. The current accounts are IMAP, and therefore when I "hook up" the new OD account, which doesn't really need anything done on the client side because it is the same username and password and server as the current Local account. When it syncs, the old emails on the IMAP account in the user's Mail program clear since the new OD account is empty on the server.
  I just really thought duplicating the Mail folder in the client's home Library would allow me to import the emails back in. I have tried highlighting the mailboxes (Inbox, and personal folders), archiving them, and then reimporting seemed to work, but I need to beat it up before I start working on live accounts. One account I did try lets me read the emails from the user, but when I try dragging them to the IMAP folders from the import folder, I get a NULL character problem on IMAP append error. NOT to chase that, but it was something else that tripped me up.
  You do bring up a good point, I think the accounts were originally setup as POP and IMAP. I'll chase some ideas about that.
  Let me play around, you've been great considering my awful explanation of this different situation.
  thanks again,
  mike

• Create a User account in active directory from SharePoint online 2013 list data

  Hello,
  I am trying to create a SharePoint list through which i can create a user account into active directory, 
  1 - HR is sending the detail in the email body to a Specific email address  ([email protected]) like below..
  First Name: XYZ
  Last Name: ABC
  Address: ABC 123
  Designation: Analyst
  Employee ID: 10492
  and so on 
  2 - I need to pickup every new email data of the above section into sharepoint list (in Column)
  First Name        Last Name       Address         Designation   Employee ID   
  3 - I want to create a event receiver through which i can go ahead and find the new data in the list and then create a user in the active directory,
  I tried very hard and since i dont have much experience in coding part,  any help will be highly appreciated
  Thank you 
  Aman 

  1- Configure Incoming Email Setting at your SharePoint Farm -
  https://technet.microsoft.com/en-us/library/cc262947.aspx
  http://blogs.technet.com/b/harmeetw/archive/2012/12/29/sharepoint-2013-configure-incoming-emails-with-exchange-server-2013.aspx
  2- Configure your Sharepoint List Incoming e-mail settings for [email protected] - ListSetting-Communications->Incoming e-mail settings. -
  https://support.office.com/en-in/article/Enable-and-configure-e-mail-support-for-a-list-or-library-dcaf44a0-1d9b-451a-84c7-6c52e7db908e
  3- Write an Incoming Email Receiver , and Add you Email Body Parsing Code (retrive value of fields , firstname , lastname etc) in
  EmailReceived() method. also add the code for adding new user in Active Directory
  http://blogs.msdn.com/b/tejasr/archive/2010/03/06/event-handler-code-to-add-incoming-emails-with-subject-discussion-id-as-replies.aspx
  https://pholpar.wordpress.com/2010/01/13/creating-a-simple-email-receiver-for-a-document-library/
  4-  Active Directory Code Help -
  http://www.codeproject.com/Articles/18102/Howto-Almost-Everything-In-Active-Directory-via-C
  http://www.codeproject.com/Tips/534718/Add-User-to-Active-Directory
  Thanks
  Ganesh Jat [My Blog |
  LinkedIn | Twitter ]
  Please click 'Mark As Answer' if a post solves your problem or 'Vote As Helpful' if it was useful.

• How to set the user's Default joboptions directory?

  Hello Experts,
  When we installed Acrobat Pro 8.x on our Win XP Pro systems our systems were NOT in a Windows Domain.  At that time the default location for user-created/customized joboptions files was:
  C:\Documents and Settings\<Username>\Application Data\Adobe\Adobe PDF\Settings
  where <Username> is the name of the LOCAL Windows user.
  A few years ago we migrated to a Windows Domain and converted our LOCAL users to domain users and disabled, but did not delete, the LOCAL user's account.  We did not remove the LOCAL user's Documents and Settings directory structure either.
  Our users now log into a DOMAIN rather than the LOCAL account.
  As a result of that process the user's Documents and Settings directory structure changed to;
    C:\Documents and Settings\<Username.DOMAINNAME>
  where DOMAINNAME is, of course, our Windows Domain Name.
  Now we are beginning to use Acrobat Distiller joboptions and I notice that when Acrobat/Distiller goes to save a user-created/customized joboptions file the default location has remained;
    C:\Documents and Settings\<Username>\Application Data\Adobe\Adobe PDF\Settings
  which is NOT the user who is logged in
  Acrobat/Distiller should use the Documents and Settings directory of the user who is actually logged in which is;
    C:\Documents and Settings\<Username.DOMAINNAME>\Application Data\Adobe\Adobe PDF\Settings
  This anomaly has created some confusion and appears to have created a dependency of the old LOCAL user's Documents and Settings directory preventing us from deleting it.
  Question:
  How can we force Acrobat/Distiller to use the Documents and Settings directory of the logged in user (eg: the Domain user)?
  In other words, how do we set the user's default joboptions directory?
  Pointers/tips/and tricks are most welcome.

  if the user is the one running the program, you can always get the home directory using System.getProperties ("user.home");
  If you are trying to get the properties of another user, you could try using setProperties to change the user name first, before getiting the home directory, but it probably won't work because of the security manager. You could read the /etc/passwd file and parse the path out, but once again, the user of the code would have to have appropriate permission.

• TO READ FILES IN A PARTICULAR DIRECTORY FROM APPLICATION SERVER

  Hi all,
  Is there any function module which gives the list of files in a specific directory ??
  for eg ;i want to fetch all files in a particular directory say */interf/sy-mandt/reports....*
  I need a function module which will give all filenames in an internal table ,if i give the directory name as input.
  Thanks in advance,
  Aakash.
  Edited by: Aakash Neelaperumal on Apr 25, 2008 11:06 PM

  Hi,
  You can use WS_FILENAME_GET but understand it is obsolete. Search for a FM in function group SFES. I saw quite a few and one of them should meet your requirement.
  Cheers !

• Problem opening reports with a user in the Oracle Directory.

  I have already followed all the steps in the user's guide to run reports with a user in the Oracle Directory.
  I accessed the enterprise security manager and created the mandatory xml publisher roles, besides I created another role. I added user A to the new role I created.
  I accessed then the administrator tab in XML publisher. I went to roles and the role I created was there. When I tried to add a folder. I'm able to add the folder there. I click on apply and then when I enter in the security Settings again the folder is not there anymore.
  I get the following error in the log:
  [021207_103218621][][EXCEPTION] oracle.apps.xdo.servlet.resources.ResourceNotFoundException: /opt/oracle/infra2/j2ee/home/xmlpublisher
  /Admin/Security/security.xml
  When I access xml publisher with the user A, who belongs to the new role I'm working with, I'm not able to see any folder, nor anything else.
  Do you have any ideas about what could be going wrong?
  Thanks,
  Joaquin

  Can you replay how? I have been facing this problem for nearly 3 months without any solution. Please help me.
  Debarati