By default a user in user has a lot of rights, nothing really critical, but why allow him to peak in any config files if he doesn't really need to? So i was looking for a way to limit the rights of a remote user, without the need to chmod a lot of files. The first way i found was to create a jail shell. This is a pretty cool way to limit a user to a handful of commands and prevent him of leaving his home-directory. It works either with SFTP (easy) and SSH (bit more of configuration) and can either be applied to a user or a group. The user is named "heinzi" in this example:
SFTP
user
Match User heinzi
ChrootDirectory /home/heinzi
AllowTCPForwarding no
X11Forwarding no
ForceCommand /usr/lib/openssh/sftp-server
group
Match Group users
ChrootDirectory /home
AllowTCPForwarding no
X11Forwarding no
ForceCommand /usr/lib/openssh/sftp-server
restart ssh
/etc/init.d/ssh restart
The user should now be limited to his homedirectory.
