Giving SSH access to a user, and security issues

As a normal user your friend won't be able to do too much harm to your server (sure they could spawn off a fork bomb or fill your disk, but if they're really a friend they probably wouldn't pull a dick move like that). My friends get actual login shells on my machine if they ask for an account, and a stern lecture that if they do anything that pisses me off they'll get booted off the machine.

It sounds like you don't trust your "friend" very much, so in addition to The Rook's answer I'll also say that a halfway competent person with the ability to run a PHP script can be almost as dangerous as a user with unrestricted (login-able) SSH access, and I assume your server allows PHP. Remember that the user can run untrusted code via PHP, up to and including downloading, compiling and running other arbitrary programs on your system (albeit within the limitations of the web server user's privileges). Generally speaking unless you are chrooting/jailing your webserver anything your friend could have seen with his login shell he can see with some not-terribly-creative PHP scripting.

Bottom line: giving someone an account on your system and then locking out their shell in /etc/passwd & setting the SFTP chroot option helps, but you should really consider the security implications of any access, and your level of trust in this person.


Giving someone FTP access is one of the worst things you can do in terms of network secuirty. Worms will sniff network traffic looking for ftp and will use this to spread. I have personally cleaned up a few sites that where infected like this.

You can disable shell access to the user account in /etc/passwd, in this case ssh is only used for SFTP. You can also set the ChrootDirectory in your sshd_config file to prevent the user from access files outside of a directory tree of your choice. ChrootDirectory shouldn't be necessary, you should be using Linux's built in file access control. For instance if the file isn't owned by the user, and global privileges have been removed then that user will be unable to access the file. Use chmod 700 instead of 777. The last number is the global privileges, and 7 gives all users full access to that file. chown user:group filename is used to change the user/group that owns the file.