Thanks, I didn't know that this is called "chroot". But I figured it out last night.
Many different Tut's and approaches I found in the www but finally I did the mix which gave me a success and Ill post it here for others if needed:
In my case I wanted the sFTP folder to be stored at
Macintosh HD/sftp
means the whole path in root/shell will be:
/Volumes/Macintosh HD/sftp
so heres the approach:
First do create the folder
sudo mkdir "/Volumes/Macintosh HD/sftp"
Basic rule: Every folder in the path, up to and including "sftp" hast to be owned by root,
and only writable by root! That will be archived as followed:
sudo chmod g-w /
sudo chmod g-w /Volumes
sudo chmod g-w "/Volumes/Macintosh HD/"
sudo chown root "/Volumes/Macintosh HD/"
Now, I wanted the sftp folder to be accessed by the group "sftpusers" only.
So as told above the sftp folder also hast to be owned by root and only! writable by root,
means the group "ftpusers" has to be set to readlonly also! (otherwise later the login will fail):
sudo chown root:sftpusers "/Volumes/Macintosh HD/sftp"
sudo chmod 750 "/Volumes/Macintosh HD/sftp"
As final step you enter /etc/ on the servers root directoy an make a copy of the file "sshd_config"
sudo cp /etc/sshd_config /etc/sshd_config.bkup
Do edit the sshd_config as followed
Comment out the line
Subsystem
sftp /usr/libexec/sftp-server
and add instead
Subsystem sftp internal-sftp
and finally add at the end:
Match Group sftpusers
ChrootDirectory /sftp
ForceCommand internal-sftp
AllowTcpForwarding no
by this the group "sftpusers" will be directed to the folder "sftp" when logging in.
Thats all!
Note: As the "sftp" folder is readonly you can easely create subfolders where you can provide individual read/write permissions for all members.
