How to set up an account for SSH with limited read access?

[72hundred]

Hi,

Long story short I want to SFTP into a Mac with Beyond Compare from Windows 8.1. (The mac would be the SFTP server so to speak).

Basically want I want to set up is an account to access the Mac via SSH (SFTP) that will have access to one folder ONLY on an external hard drive - that's always connected. Ideally I don't actually want or need another login account to appear at the launch window.

I tried to set up recently but the profile I created was a standard profile and it had huge access to all the hard drive, even outside of its own profile - which was way too much.


Many thanks for the help!

EDIT: That should have been read/write/delete access in the title.

 

[ocabj]

Read up on Unix permissions to understand what user, group, everyone and read, write, execute means in the context of files and directories.

Anyway, generally, files and directory for the Operating System are going to have at the very least read/execute permissions to everyone. All people will need these rights to get into the system (assuming they have a valid account). By this fact, a user will be able to navigate various parts of the filesystem once in.

What you can do is force the application (SSH daemon) to enforce an ACL layer. OpenSSH does support this to some extent by jailing given users with chrootdirectory:

https://en.wikibooks.org/wiki/OpenSSH/Cookbook/SFTP

This essentially presents a 'jailed' filesystem to specified users so they *shouldn't* be able to change directories outside of the defined chroot.