I'd like to create a user on OS X that has remote ssh login privileges where they can access a certain folder /path/to/the/goods/ and add/modify/delete files manually or via rsync while the rest of the Mac is off limits (outside their home directory).
Ideally the user should not have access to run any other programs other than rsync.
This user is just going to be used by a build server to login and deploy files to. I want to use a public/private key pair so the build script doesn't require password input.
How can I accomplish this?
Best Answer
The best way to do this is to create a chroot jail for the user. I'll clean up the answer here when I get home but I posted the solution on my blog.
https://thefragens.com/chrootd-sftp-on-mac-os-x-server/
Below are most of the instruction from the above post.
First, you should create the new user in Workgroup Admin and either assign them access privileges for SSH via Server Admin or assign them to a group that has SSH access privileges. Further discussion is below.
From the Terminal, start off right.
Every additional new user added will then be something along the lines of the following.
Every folder it the path to the chroot jail must be owned by
root
. I don't think it matters what group the folder is in. What I did above was to/etc/sshd_config
root
Now to edit
/etc/sshd_config
to the following.This creates a chroot jail that when the user logs in will drop them into the folder
/chroot/user
, in that folder is a folder they can add things to/chroot/user/scratchpad
.If you want to create a Group in Workgroup Admin for 'Chroot Users' then add the new users that you created in Workgroup Admin to the Group you won't have to keep editing the
/etc/sshd_config
file. Instead of the above, add the following. Make sure you add the 'Chroot Users' group to the SSH access ACL in Server Admin.To test whether the above is working, issue the following from the terminal.