Introduction
There was a requirement to securely exchange application files (such as configuration files, logs, or deployment packages) between internal users and a restricted server location, without giving shell access or full system access. The goal was to provide secure, isolated SFTP-only access to a specific application directory.
Why do we need to do
Allowing users to access application directories directly can lead to security risks, accidental system-level changes, or unwanted exposure of sensitive files. Traditional FTP methods are insecure and offer limited access control. A secure solution was needed where:
The user has SFTP-only access.
The user is jailed (chrooted) to a specific folder.
The application directory (WEB-INF) is accessible without compromising the actual application root.
How do we solve:
We achieved this using the following approach:
Created a Linux user FTPLMSapps.
Configured key-based authentication for passwordless login.
Set up chroot jail using /sftp/FTPLMSapps as the root directory.
Used a bind mount to expose only the required WEB-INF directory from the OC4J application without giving full access.
Ensured correct permissions to satisfy SFTP chroot requirements.
Configured sshd_config to enforce SFTP-only access for the user.
Core Steps:
# Create user directories
sudo mkdir -p /home/FTPLMSapps/.ssh
sudo chown -R FTPLMSapps:FTPLMSapps /home/FTPLMSapps
sudo chmod 700 /home/FTPLMSapps /home/FTPLMSapps/.ssh
# Add public SSH key
sudo nano /home/FTPLMSapps/.ssh/authorized_keys
sudo chmod 600 /home/FTPLMSapps/.ssh/authorized_keys
sudo chown FTPLMSapps:FTPLMSapps /home/FTPLMSapps/.ssh/authorized_keys
# Prepare chroot jail
sudo mkdir -p /sftp/FTPLMSapps
sudo chown root:root /sftp/FTPLMSapps
sudo chmod 755 /sftp/FTPLMSapps
# Bind mount the application directory
sudo mkdir -p /sftp/FTPLMSapps/WEB-INF
sudo mount –bind /home/oracle/oc4j/j2ee/home/default-web-app/WEB-INF /sftp/FTPLMSapps/WEB-INF
echo “/home/oracle/oc4j/j2ee/home/default-web-app/WEB-INF /sftp/FTPLMSapps/WEB-INF none bind 0 0” | sudo tee -a /etc/fstab
# Set ownership for application access
sudo chown FTPLMSapps:FTPLMSapps /sftp/FTPLMSapps/WEB-INF
# Configure SSHD for chrooted SFTP access
sudo nano /etc/ssh/sshd_config
# Add:
Match User FTPLMSapps
ChrootDirectory /sftp/FTPLMSapps
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
# Restart SSH service
sudo systemctl restart sshd
Conclusion:
This approach provided a secure, reliable, and isolated method for the user FTPLMSapps to upload/download files required for application integration and support — without granting shell access or exposing other system areas. It follows best practices for secure file exchange and supports business continuity by maintaining the application file structure integrity while giving limited access
