How to restrict SSH /SFTP User to a sub folder of an apache website?

ssh security linux apache-2.2 sftp

SSH has the capability to chroot a user built-in (since 4.9p1), but using it for interactive sessions is somewhat difficult.

Restricting sftp is fairly easy though, and can be configured on a per user, or per group basis

Match User joeblogs
    ChrootDirectory /data/htdocs/mywebsite/store/
    ForceCommand internal-sftp
    AllowTcpForwarding no

Interactive sessions are more complex, because the user needs a shell, and some device files to be present.

From man 5 sshd_config:

The ChrootDirectory must contain the necessary files and directories to support the user's session. For an interactive session this requires at least a shell, typically sh(1), and basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4), arandom(4) and tty(4) devices

I wouldn't recommend this, as you would need to build and maintain a copy of any utilities they need within their chroot. If you still want to try going this route, you can read more about it the sshd_config man page, and here

Related

Ports below 1024
BSD 50% interrupt utilization in irq0/clock
AD: Roll out an MSI application at midnight
Draytek Vigor 2820 static IP's
What are the advantages/disadvantages of using cgroups?
KVM + cgroups: Dom0 process best practice?
How to script printer creation on a Windows Server 2008 R2 clustered print server?
RDP Sessions are slow ...what does the affect of Color Depth have on the user experience?
HP z800 running Vista loses NVIDIA display settings after Windows Update
mount.nfs: access denied by server while mounting (Kerberos authentication)
Is there a way to force remove an SCCM 2007 Site Server?
Broadcom BCM5716 Hangs on CentOS 6 Boot