Index
I need different users to have access to different directories, but no one should have access to other people's directories.
To better control access to directories on your server you can use VShell's virtual directory feature. Users connecting with SFTP, FTPS, or HTTPS will have file system access limited to only the locations you allow.
To set up virtual directories, follow these steps:
- Divide your system's users into logical groups. Your system may already have user groups that you can use or you can create new groups. For the purpose of this explanation, we'll use the following example groups:
- Developers
- Accounting
- Sales
- TechSupport
- Determine the access needs of your users and groups.
In our example, members of each group share a common area and only members of that group should be able to see their common area. Example user Danny is a member of both Developers and TechSupport; though, when connecting via SFTP, FTPS, or HTTPS he should only have access to TechSupport files. Kirk is a member of Developers and TechSupport also, but he should see the files of both groups. Ken is an admin, and should be able to see the file system as it really is. Each user should be able to access the files in their home directory, but no one else should see these files.
- Open the vshelld_config file and add virtual directory settings. For each virtual directory, you can allow or deny access (a deny takes precedence over allows). You can also use the * to denote everyone.
Important: the vshelld_config setting is called "SFTP Virtual Directories" even though it affects file transfer performed with FTPS and HTTPS as well as SFTP.
The configuration for our example would be conveyed as follows:
SFTPVirtualDirectories{
Unrestricted{
AllowUsers { Ken }
}
Alias "home"{
Directory "$USER"
AllowUsers { * }
}
Alias "Development"{
Directory "/home/dev"
AllowGroups { Developers }
DenyUsers { Danny }
}
Alias "Accounting"{
Directory "/home/accounting"
AllowGroups { Accounting }
}
Alias "TechSupport"{
Directory "/home/TechSupport"
AllowGroups { TechSupport }
}
}
Now, when Ken logs in, he will see the file system as it really is because he has unrestricted access. Members of the Developers group, except for Danny, will see the following file system when they log in:
In the above file system, "home" directory that the each user sees on screen is in reality that users home directory (where ever it really is) and /Development refers to /home/dev. For instance, Kirk will see:
/
home/
Development/
TechSupport/
Similarly, other groups will see only /home and their appropriate group files.
Using virtual directories allows you to tailor the files that are visible to any given user to exactly the set of files they need to get their work done, thereby increasing the security of your data.
To further restrict access and use of your server, you can also implement access control lists (ACLs), connection filters, and port-forwarding filters. More information can be found in the vshelld_config (5) man page.
Three Fast Ways to Learn More About VShell Server For Windows, Linux, and macOS
Tell
me more. Email us your questions about putting VShell to work for your organization.
Try
it today! Download a free evaluation copy of VShell
for Windows, Linux, or macOS.
Talk
to us. Let us help define the right VShell server solution
for your company.
