create standard user sftpusr and group sftponly

sudo vim /etc/ssh/sshd_config
# override default of no subsystems
#Subsystem sftp /usr/libexec/sftp-server

Subsystem sftp internal-sftp -l VERBOSE -f LOCAL3
Match Group sftponly
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
ChrootDirectory /chroot/%u

run command
sudo chroot -u sftpusr /chroot

sudo vim /etc/exports
/Volumes/DATACUBE /Volumes/DATACUBE/Media /Volumes/DATACUBE/Upload -network -mask

manual mount
sudo mount -o ro -t nfs /chroot/sftpusr/media/
sudo mount -o rw -t nfs /chroot/sftpusr/upload


auto mount
mkdir /Users/bhr/Library/LaunchAgents/

vim /Users/bhr/Library/LaunchAgents/org.mount.nfs.plist
<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “”>
<plist version=”1.0″>


vim /Users/bhr/Library/LaunchAgents/
mount -o ro -t nfs /chroot/sftpusr/media/
mount -o rw -t nfs /chroot/sftpusr/upload

df -H


  1. Alex

    I have a more relevant question to my own situation. If you please, I have a group named sftpgroup and user inside that group. How do I prevent those users from gaining shell access? If give them a null shell they lose sftp access. Do your step resolve this? I looked at man chroot(8) in high Sierra and it would appear to do what I need. Could you Kindly clarify?

    1. admin Article Author

      No need for a special shell, just create a standard macOS user. The chroot command should do the rest.

Leave a Reply

Your email address will not be published. Required fields are marked *