Restrict user's access to only one directory

ServerA needs to have a directory of ServerB mounted in a location, with write permissions.

I've been using SSHFS for this. I find SSHFS being very stable (100% reliable), while NFS was not so stable, besides being really hard to configure, and by default exposing to public, etc...

With SSHFS, I had to create a local user on ServerB, and put its private key on ServerA, to setup the mounts.

However, if someone ever hacks into ServerA, the hacker will be able to access any directory/file that may have 'other' read permissions anywhere on ServerB, by logging into ServerB with that user and its private key.

Is there any way to prevent this, so that the ONLY directory that this user can access is the directory that needs to be mounted on ServerA?


Solution 1:

Configure ssh server to put the user and their files into a restrictive chroot. If using OpenSSH, probably with directives ChrootDirectory and ForceCommand internal-sftp

NFS requires defining exported volumes, and is not a remote shell. In those respects it fits your file share scenario well. While NFS can be encrypted, usually it is not, so for security reasons is generally confined to a private network.

Both will result is a bad performance experience if the network drops or the remote goes away unexpectedly.