##What I want to do
I want to add a second user, but restrict what the user can do:
newsletters, it will be in the public folder.newsletters, folderThis is the full path to the newsletters folder:
/srv/users/serverpilot/apps/test-app/public/newsletters
##What I’ve done so far
I’ve followed this guide How do I restrict a user to a specific directory? by Maxamilian Demian (@Maxoplata), there’s a great reply by Jonathan Tittle (@jtittle).
However, I’m still having problems logging in via SFTP
I’ve listed out all the steps I’ve done - hopefully someone with more experience will be able to spot my error(s)!
##1. Created a new user
rootuser-sftp-only
2. adduser user-sftp-onlycompgen -u
5. user-sftp-only is at the bottom of the listgrep user-sftp-only /etc/passwd outputs:user-sftp-only:x:1004:1007:,,,:/home/user-sftp-only:/bin/bash
##2. Give new user root privileges
user-sftp-only root privileges
2. gpasswd -a user-sftp-only sudoroot##3. Create a new directory
user-sftp-onlypublic called newsletters:
4. cd /srv/users/serverpilot/apps/test-app/public/
5. Followed by:
6. sudo mkdir newsletters##4. Check directory permissions
public folder from the previous step, I run ls -aldrwxr-xr-x+ 3 serverpilot serverpilot 4096 Mar 7 15:26 .
drwxr-xr-x+ 3 serverpilot serverpilot 4096 Mar 3 16:22 ..
-rw-r--r--+ 1 serverpilot serverpilot 3393 Mar 3 16:22 index.php
drwxrwxr-x+ 2 root root 4096 Mar 7 15:26 newsletters
From reading various DigitalOcean posts, I know I need to create a group and assign my new user user-sftp-only to that group, Then change root root to the name of my user and group.
##5. Create a new group
user-sftp-onlysudo groupadd group-sftp-onlycompgen -g
5. group-sftp-only is at the bottom of the listNote: I notice my new user called user-sftp-only is also in this list?
##6. Add user to the group
rootuser-sftp-only to a group called group-sftp-onlyuser-sftp-onlyusermod -g group-sftp-only -d /srv/users/serverpilot/apps/test-app/public/newsletters -s /sbin/nologin user-sftp-only
-gspecifies the group name-d specifies the users home directory-s specifies shell access (/sbin/nologin means SSH is disabled for this user)##7. Verify the changes to the user
rootgrep user-sftp-only /etc/passwduser-sftp-only:x:1001:1004:,,,:/srv/users/serverpilot/apps/test-app/public/newsletters:/sbin/nologin
##8. Modify SSH Configuration to allow SFTP
rootnano /etc/ssh/sshd_config#Subsystem sftp /usr/lib/openssh/sftp-server -l INFOsshd_config added this:Subsystem sftp internal-sftp
Match group group-sftp-only
ChrootDirectory %h
ForceCommand internal-sftp
##9. Restart SSH
rootservice ssh restart##10. Modify permissions
rootuser-sftp-only/srv/users/serverpilot/apps/test-app/public/newsletterschown -R user-sftp-only:group-sftp-only /srv/users/serverpilot/apps/test-app/public/newsletters
##11. Verify ownership change
rootcd /srv/users/serverpilot/apps/test-app/public/ls -al shows me:drwxr-xr-x+ 3 serverpilot serverpilot 4096 Mar 7 15:26 .
drwxr-xr-x+ 3 serverpilot serverpilot 4096 Mar 3 16:22 ..
-rw-r--r--+ 1 serverpilot serverpilot 3393 Mar 3 16:22 index.php
drwxrwxr-x+ 2 user-sftp-only group-sftp-only 4096 Mar 7 15:26 newsletters
cd /srv/users/serverpilot/apps/test-app/public/newslettersls -al shows me:drwxrwxr-x+ 2 user-sftp-only group-sftp-only 4096 Mar 7 15:26 .
drwxr-xr-x+ 3 serverpilot serverpilot 4096 Mar 7 15:26 ..
That’s where I’m up to. However, I can’t login in as my new user user-sftp-only via SFTP
Not sure where I’m going wrong - I’m new to this!
##EDIT
I can login via SFTP with another user name - Using a FTP client called Transmit.
If I get info on the folder newsletters everything matches what Terminal is telling me…
Here’s a screenshot

This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Accepted Answer
Hi @jtittle
Thank you so much for taking the time to read and reply to my post!
After following your great instructions, the user user-sftp-only is restricted to just the newsletters folder. user-sftp-only can upload, rename and delete files and sub-folders via SFTP only. Great.
If I cd to /home/user-sftp-only and run ls -l I see this:
drwxr-xr-x 2 user-sftp-only user-sftp-only 4096 Mar 8 11:58 newsletters
Next step is to configure a way to sync the files located here:
/home/user-sftp-only/newsletters
So they automatically appear here:
/srv/users/serverpilot/apps/test-app/public/newsletters
I found a DigitalOcean article How To Mirror Local and Remote Directories on a VPS with lsyncd. Is this what you have in mind for syncing?
hi guys, tks for guide! I get error in filezilla if I log with new user: network error: software caused connection abort filezilla
Hi @jtittle
That works great! Thank you so much for your help with this.
It’s a shame deleted files aren’t also synced, but that’s ok. I’ll set delete = false If the end user ever needs to delete any files I can do it manually for them.
I’ve been struggling with this for longer than I’d like to admit! However, thanks to you and the many DigitalOcean posts I’ve read, I have expanded my knowledge of Terminal and navigating around my server.
Great stuff.
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
Full documentation for every DigitalOcean product.
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
Scale up as you grow — whether you're running one virtual machine or ten thousand.

From GPU-powered inference and Kubernetes to managed databases and storage, get everything you need to build, scale, and deploy intelligent applications.
