How to Restrict SFTP Users to Home Directories Using chroot Jail

Best Affordable Linux and WordPress Services For Your Business
Outsource Your Linux and WordPress Project and Get it Promptly Completed Remotely and Delivered Online.

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Get your own self-hosted blog with a Free Domain at ($3.45/month).
  4. Become a Supporter - Make a contribution via PayPal
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Senthil Kumar

A Linux Consultant, living in India. He loves very much to write about Linux, Open Source, Computers and Internet. Apart from that, He'd like to review Internet tools and web services.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

10 Responses

  1. tecmint says:

    I created SFTP Chroot for user XXX

    Subsystem sftp internal-sftp -l INFO -f AUTH
    Match Group sftp_g
    X11Forwarding no
    AllowTcpForwarding no
    ChrootDirectory /data/% u
    ForceCommand internal-sftp -l INFO -f AUTH

    I created user XXX and added to group sftp_g. I also created resource /data with permissions (root.root & 755).

    I added the XXX directory (root.root & 755). Here I added XXX (XXX.sftp_g)

    It works!

    I would like now that a completely different user has rights rwx for resource /data/xxx/xxx – if I add setfacl for user and resource /data – XXX stops working and can not connect – SSH logs bad permission.

    What should I do to have rwx for the user yyy for resource /data/xxx/xxx.


  2. Musthafa says:

    How to restrict multiple users to their own home directories (not to a common directory).

  3. Tarun kumar says:

    This configuration show all directory from /home directory, but i want to restrict user in his own folder. Any suggestion.

    • Musthafa says:

      Hi Bro,

      Change the /home to whichever directory you need the user should restricted to.

      Eg: ChrootDirectory /home/

  4. Patrick says:


    Great article and it helped me resolve my problem. However, I have one more little problem that I cannot seem to figure out and it is to do with WinSCP and chroot.

    My issue is that when I use WinSCP to connect to the server I have set up it will work correctly except that the user and owner do not show up correctly. It shows as the UID and GID rather than the actual owner and group.

    It will show the User as a value of 0 and Group as 1005. Its pulling the values from the /etc/group file.

    When I access it via the shell it shows correct permissions for user/group

    -rwxrwsr-x+  1 root nycdata    132 Mar  5 13:58 testfile.txt

    So what I did to try correct this is that I copied the /etc/group and /etc/passwd files to the chrooted folder. Within the chrooted folder I created a folder called /etc. Also I created a folder called /bin and I dropped this into /etc of the chrooted folder.

    However I still cannot see the correct permissions when I use WinSCP. Though I have not tried FileZilla. The issue is that I will be having users connecting via WinScp or Filezilla and I would like them to be able to see their files easily.

    Not sure where I am going wrong but any advise would be great.

    Thank you so much,

  5. Jemel says:

    Thanks for the article. I’m learning about SFTP now and was curious and wanted to know how to CHROOT its users from Centos 7.

  6. Robert Giordano says:

    On my freeBSD server, everything works fine until I try to rsync.

    If I do: sftp [email protected], I get “Connected to ip.address” like in your article above.

    But if I do: rsync -avz [email protected]/ /path/to/local/backup, then I get the following:

    protocol version mismatch — is your shell clean?
    (see the rsync man page for an explanation)
    rsync error: protocol incompatibility (code 2) at /SourceCache/rsync/rsync-42/rsync/compat.c(61) [receiver=2.6.9]

    Any ideas? Thanks

    • Ravi Saive says:


      I think its due to different versions of rsync installed on servers, make sure you have same version of rsync or may be different flavors of Linux distros used here, you need to check..

  7. Lenny says:

    You’re better of creating a SFTP root as /home/sftproot and then putting your SFTP users home directories under /home/sftproot/home.
    Then when that user logs in they’ll automatically get put into their home directory e.g. /home/lenny within the chroot instead of the root directory of the chroot. You can then also restrict permissions so that within the chroot /home directory users can’t see what other user directories exist, chmod 0751
    You can also configure rsyslog to add a socket to /home/sftproot/dev/ so ssh logs all transfers to syslog.

  8. Jalal Hajigholamali says:

    Very nice article…
    Thanks a lot

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.