DEV Community

V.Ray
V.Ray

Posted on

How I Secured User File Access Using ACL and Chroot Jail: A Step-by-Step Guide

#ubuntu #security #devops #tutorial

Introduction

In a recent project, I faced a security challenge: multiple users needed access to specific files and folders on Linux servers, but couldn't have full system access. Some users were accidentally accessing files outside their designated areas, and I needed a secure, scalable solution. I dont want user can navigate to other filesystem or folder.

After evaluating several approaches, I implemented a combination of Access Control Lists (ACL) and chroot jail that solved the problem completely. Here's exactly how I did it.

The Challenge

The Problem:

I was managing a Redhat Linux version 8 server where:

  • Multiple users needed access to different directories
  • Each user should only see and access their specific folders
  • Some users were navigating to parent directories they shouldn't access
  • Traditional Linux permissions (chmod/chown) weren't granular enough
  • The solution needed to be easy to manage as the user base grew

What I Tried First:

  1. Basic Linux permissions (chmod 750) - Too restrictive; couldn't give multiple users different access levels
  2. Linux groups - Became messy with users needing different combinations of access
  3. Separate user accounts per folder - Not scalable and hard to maintain

None of these solved the core problem: users could still navigate outside their designated folders.

My Solution

I implemented a two-layer approach:

  1. ACL (Access Control Lists) - For granular file permissions
  2. Chroot Jail - To restrict users to specific directories

Here's the step-by-step process:

Step 1: Set Up the Directory Structure

I organized the folders for easy ACL management:

/home/
  ├── userdata/
  │   ├── user1_folder/
  │   ├── user2_folder/
  │   └── shared_folder/
Enter fullscreen mode Exit fullscreen mode

Created with:

sudo mkdir -p /home/userdata/{user1_folder,user2_folder,shared_folder}
Enter fullscreen mode Exit fullscreen mode

Step 2: Implement ACL for Fine-Grained Permissions

Instead of traditional chmod, I used ACL for specific user permissions.

Verify ACL is enabled:

mount | grep acl


**Set specific user permissions:**
Enter fullscreen mode Exit fullscreen mode


bash

Give user1 read/write access

sudo setfacl -m u:user1:rwx /home/userdata/user1_folder

Give user2 read-only access to shared folder

sudo setfacl -m u:user2:r-x /home/userdata/shared_folder

View current ACL settings

getfacl /home/userdata/user1_folder


**The advantage:** I could give different users different permission levels on the same folder - impossible with basic chmod.

### Step 3: Implement Chroot Jail

ACL controlled permissions, but users could still navigate to parent directories. Chroot jail restricted each user to their designated folder.

**Modified SSH config for SFTP users:**
Enter fullscreen mode Exit fullscreen mode


bash
sudo nano /etc/ssh/sshd_config


**Added these lines:**
Enter fullscreen mode Exit fullscreen mode

Match User user1
ChrootDirectory /home/userdata/user1_folder
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no

Match User user2
ChrootDirectory /home/userdata/user2_folder
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no


**Important:** Chroot directories must be owned by root:
Enter fullscreen mode Exit fullscreen mode


bash
sudo chown root:root /home/userdata/user1_folder
sudo chmod 755 /home/userdata/user1_folder


**Create writable subdirectory:**
Enter fullscreen mode Exit fullscreen mode


bash
sudo mkdir /home/userdata/user1_folder/files
sudo chown user1:user1 /home/userdata/user1_folder/files


### Step 4: Restart SSH and Test
Enter fullscreen mode Exit fullscreen mode


bash
sudo systemctl restart sshd

Test connection

sftp user1@server-ip




---

## The Results

After implementing this solution:

✅ All users have secure, isolated access to their designated folders  
✅ Zero unauthorized file access incidents since implementation  
✅ Easy to add new users - just copy the Match User block  
✅ Reduced administrative overhead for permission management  
✅ System has been running smoothly for several months  

The two-layer approach (ACL + chroot) provided both flexibility and security.

---

## Key Takeaways

- ACL provides more flexibility than chmod for multi-user environments
- Chroot jail is essential for SFTP/SSH access - ACL alone isn't enough
- Always ensure chroot directories are owned by root (755 permissions)
- Test with a non-privileged account before deploying
- Keep SSH logs enabled to monitor access patterns
- Document ACL rules - they're not visible in `ls -la` output

---

## Conclusion

Combining ACL and chroot jail solved the file access security challenge effectively. If you're managing Linux servers with multiple users needing restricted access, this approach will save hours of manual permission management.

Have you implemented chroot jail in your environment? What challenges did you face? Drop your questions in the comments!
Enter fullscreen mode Exit fullscreen mode

Top comments (0)