IBM Support

IBM AIX: Using AllowFiles Directive to Restrict SFTP Users and Groups to Specific Working Directories

How To


Summary

This document is a walk-through on how to configure /etc/sshd_config file in order to restrict sftp users/groups to specific working directories. With this configuration user is still able to know exactly where they are in the file system hierarchy by running "pwd" command.

Objective

Use the AllowFiles directive to restrict sftp users and groups to specific working directories.

Environment

All AIX/POSIX Environments that use OpenSSH.

Steps

1. Add the AllowFiles directive to the /etc/sshd_config file in one of the following formats:
Users Only:
AllowFiles "<USER1>:/path/to/dir1,/path/to/dir2 <USER2>:/path/to/dir3,/path/to/dir4"
Groups Only:
AllowFiles "+<GROUP1>:/path/to/dir1,/path/to/dir2 +<GROUP2>:/path/to/dir3,/path/to/dir4"
Users and Groups:
AllowFiles "<USER1>:/path/to/dir1,/path/to/dir2/* <USER2>:/path/to/dir3,/path/to/dir4 +<GROUP1>:/path/to/dir5/* +<GROUP2>:/path/to/dir6/*"
Note:
  • Users and groups are space separated, while files and directories are comma separated. All the user and groups within an AllowFiles entry are surrounded by a pair of double quotes.
  • Notice the use of the plus (+) sign in the beginning of the groups names.
  • Notice the use of the asterisk wildcard, which allows the user or group access to subdirectories of the one specified.
  • Only the sftp users and groups specified by the AllowFiles directive with be allowed access to the mentioned files or directories. The rest will be denied.

2. Make sure the GROUP specified is the primary for all its members, the users to be jailed. Overlooking this step causes permission denied errors at login time. Use chuser command to modify the primary group for users as follows:
# chuser pgrp=<GROUP> <memberUSER>

3. Recycle the sshd daemon as follows:
# stopsrc -s sshd;startsrc -s sshd

**End of document**

Document Location

Worldwide


[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"Component":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Document Information

More support for:
AIX

Software version:
All Versions

Operating system(s):
AIX, Linux

Document number:
1285792

Modified date:
15 September 2021

UID

ibm11285792

Manage My Notification Subscriptions

Page Feedback