VanDyke Software



Lock Down SFTP File Access to a Specific Folder in the VShell® Server

Note: Starting with VShell 3.5, the SFTP category in the VShell Control Panel became Virtual Roots and the Use single virtual SFTP root option became Use single virtual root. The new nomenclature is used in the following information.

Explanation of "Virtual Roots" category in VShell

By default the VShell server allows all users to access the file system. If you want to limit the folders which users can access via SFTP, the first step is to remove the Everyone group from the built-in <Unrestricted> virtual root.

Next, check to see if the Use single virtual root option is enabled in the Common / Virtual Roots category of the VShell control panel.

If Use single virtual root is enabled, the user session will open in a virtual "parent" directory that VShell uses to allow clients to properly handle multiple virtual roots. If you configure VShell to have a virtual directory pointing to "F:\", and specify an alias name for the virtual root, this alias name is what appears to the user as the only folder they have access to within the root of the file system. For example, if the virtual root to "F:\" within the VShell control panel has the alias name "Home", the user would connect and see that a file listing of the root would produce one directory named "Home".

If you disable the Use single virtual root option, the structure of the file system as it appears to the client will not change, but the initial location where they are placed within that file system will be different.

With the Use single virtual root option "enabled", users are placed in "/", which is the virtual "parent" directory referred to earlier. It is also known as "{The virtual root}" as displayed within a VShell debug log file. This virtual parent directory is used only for navigation purposes. Clients cannot create folders or files in the virtual directory, and no files are available for download; just the folders reflecting alias names of the virtual directories that you have configured to "allow" access for the user in the VShell control panel.

With the Use single virtual root option "disabled", users are placed within the first virtual directory to which they have access (the first virtual root listed top-to-bottom within the VShell control panel to which the authenticated user is allowed access). For example, if the alias to the first virtual root that user "bob" has access to is named "Home", when user bob connects with SFTP he will be placed in the location of "/Home" (assuming the Use single virtual root option is disabled and user bob does not have access to the <Unrestricted> root).