Restricting remote user to a single directory in 10.11

macos ssh sftp

I need to confine remotely logged in users to stay in 1 directory only, so I would thought I should attack this problem via SFTP or SSH, so I asked in

Restrict sftp user to a single directory in El Capitan.

But since sshd_config requires each component in the directory path must be owned by root, this requirement is not even possible in our case. So I guess both SSH and SFTP are not the solution.

What other approach can I take to do this task?

PS: After further reading, I think /bin/bash -r might be the way forward. Not sure if I can set up ssh to load /sh/bash -r by default.

PS: Tried to specify /bin/bash -r in Login Shell field within the user's Advanced Options in Users & Groups. Now the user cannot even login; password prompt keeps returning. In system.log, I get

PAM: authentication error for illegal user

Removing the -r option then the user can log in. I think a bit more config in sshd_config or /etc/pam.d/sshd will do the job....


Solution 1:

Create a file /bin/rbash, make it executable and and set it as a shell for this newly created user:

#!/bin/bash
exec /bin/bash -r "$@"

The user over ssh is limited as manual page for bash describes in "RESTRICTED SHELL" section.

Related

What filesystem should I use to share across Mac (Yosemite) and Linux?
Exiting/Starting the Terminal (El Capitan)
App Expose, show XCode project name
How do I access Find My Friends from iCloud.com?
Disable Screen Sleep AppleScript
iTunes: subscribe to a podcast without downloading it?
Where to insert a custom item in /etc/hosts file?
Can I remove admin rights from an OS X account without using the command line?
How to show programs installed with brew in Launchpad?
How do I delete something only on my device and still preserve it in cloud?
NTFS drive is not mounted after changing /etc/fstab
Will my app get rejected?