In order to allow a user to have restrict access to a specific directory we should use the chroot and bindfs setup:
(tested on Centos 7 x64)
bindfs
Mount a directory to another location and alter permission bits.
bindfs is a FUSE filesystem for mounting a directory to another location, similarly to mount –bind. The permissions inside the mountpoint can be altered using various rules.
Examples
Make a directory read-only for non-root users.
bindfs –perms=a-w somedir somedir
Share a directory with some other users without modifying /etc/group.
bindfs –mirror-only=joe,bob,@wheel ~/some/dir shared
Make all new files uploaded to an FTP share owned by you and seen by everyone.
bindfs –create-for-user=me –create-with-perms=u+rw,a+rD /var/ftp/uploads /var/ftp/uploads
Make your website available to the webserver process read-only.
bindfs –force-user=www –perms=0000:u=rD ~/stuff/website ~/public_html
The corresponding /etc/fstab entry.
/home/bob/stuff/website /home/bob/public_html fuse.bindfs force-user=www,perms=0000:u+rD 0 0
In this Setup we will allow an external user called “support” to access via SFTP only a chroot directory containing various apache logs and tomcat logs directory. mapped via bindfs.
Create the group/user/directory
groupadd sftponly
mkdir -p /home/sftproot/support/home
useradd -d /home/sftproot/support -g sftponly -G apache -u 2021 -s /sbin/nologin support
chown root.root /home/sftproot/support
chown support:sftponly /home/sftproot/support/home
cd /home/sftproot/support/
mkdir .ssh
touch .ssh/authorized_keys
chmod 0600 .ssh/authorized_keys
chown support .ssh/authorized_keys
chown support .ssh
Setup the ssh entry into /etc/ssh/sshd_config
Subsystem sftp internal-sftp
Match Group sftponly
ChrootDirectory /home/sftproot/%u
ForceCommand internal-sftp
AllowTcpForwarding no
Setup the ‘directory mount’ using bindfs
With bindfs we can set specific permissions in this case read-only thru “-o ro” argument
yum -y install bindfs
mkdir /home/sftproot/support/home/apache_logs
chown support /home/sftproot/support/home/apache_logs
bindfs –map=root/support -o ro /var/log/httpd /home/sftproot/support/home/apache_logs
bindfs -o ro /opt/app/tomcatA/logs /home/sftproot/support/home/tomcatA_logs
bindfs -o ro /opt/app/tomcatB/logs /home/sftproot/support/home/tomcatB_logs
mkdir /home/sftproot/support/home/webapps_all
chown support /home/sftproot/support/home/webapps_all
bindfs -o ro /opt/app/storage /home/sftproot/support/home/webapps_all
bindfs –map=root/support -o ro /var/log/httpd /home/sftproot/support/home/apache_logs