I’d like other users/accounts on the same server not to be visible to the owner of a virtual server. Now when I create a virtual server and someone uses sftp to connect to its account it can browse the server and can see which other accounts exist in the home directory.
Is it possible to hide these other accounts without blocking sftp access to the user?
That’s already the case they can’t access other users home directories. Discretion in customer account names is possible but I think having account names that are easy to remember/corelate is an advantage as well.
Since SFTP uses SSH, it’s not possible to hide specific server contents from users who are allowed to login. (Okay, apparently there is, but only with a good deal of hacking and compiling involved, not a thing for the faint of heart ;).) The directory names in /home are an example for that. You of course can set the access rights so that an SFTP user cannot enter the home directories of other vservers.
Aside from that, if you wish to apply a kind of “discretion” in terms of home directory contents, you can use “neutral” customer account and home directory names, like “cust01”, “cust02” etc. instead of using the domain name as user/directory name.
If you use FTP(S) though, it is possible to restrict users to their or their vserver’s home directory.
Yes, that’s true. Unfortunately, this here is a “cannot have everything” situation.
Googling for “sftp restrict access home” might yield some useful hints. Still it’s probably going to involve non-trivial stuffs.
SSH is not meant to lock the user up in a certain directory - it’s for shell logins, where you need access to /etc, /bin, /usr etc. to execute commands. SFTP is just an addition to SSH, making file transfers easier.
Also note that SSH/SFTP only allows users to see things they have permission to see anyway.
A user could just as easily install a PHP file browser, and browse the files and directories that way.
The thing I’d suggest being concerned about is how to keep the various web applications your users install up to date… as it’s really common to see spammers breaking in through vulnerable web applications, and sending out bazillions of emails through your server
Yeah, very good point about the PHP file browser there.