Troubleshooting SFTP Permission Denied

The SFTP Permission denied error happens when you SFTP into a server and try to add, remove or modify a file or directory. Still, the SFTP server does not allow you, and instead, it throws back permission denied, error: code 3.

To solve the SFTP permission denied error, you’ll need to verify that the user account you are using to SFTP has the proper permissions. Then, in the SFTP server, find the file or directory and change ownership or update its permissions.

Table of Contents

1. File Permissions and Ownership
2. A Closer Examination
3. Fixing the SFTP permission denied error on a Windows SFTP Server
4. How to solve the SFTP Permission denied on a Linux SFTP Server
5. Alternative ways to solve the Permission denied error
6. Conclusion

1. File Permissions and Ownership

Whether your server is Linux or Windows-based, the SFTP permission denied is always a result of inconsistent or misconfigured user permissions. To solve this problem, you'll need to find the reasons why your specific user doesn't have the necessary rights to add, edit, or remove a file or directory.

Before digging deeper, let’s remember the fundamentals.

• A user account is a set of configurations and information that tells the OS, which files and folders a user has access to, what it can do with them, and other settings like preferences or network resources. A properly configured user account should authenticate and authorize you to use specific resources, including SFTP.
• User account types Every user account has a specific kind that determines their permission level and their actions at the OS level. For instance, there are admin users in Windows and root users in Linux.
• A user group is a collection of user accounts with the same permissions and security rights. Every user account is a member of at least one group.

File and folder permissions

Permissions are the authorization and access rights methods for allowing users and groups to do a particular action. For example, with configured permissions, the SFTP server determines which users and groups can access which files or folders (and what they can do with them).

To determine your user account type, its group, and permissions, continue to the next section.

2. A Closer Examination

This error is also known as the permission denied error code 3. It happens due to an SFTP server’s user permission to a file or directory being denied. In other words, the server is rejecting access to its files and folders for a specific (or all) user.

On a Linux machine, the SFTP error permission denied looks as follows:

Cannot create remote file 'TEST'. Permission denied. Error code: 3 Error message from server: Permission denied

On Windows, while using a client such as WinSCP or Bitvise, the message looks something like this:

How to fix the SFTP permission denied

To solve the permission denied error, you’ll need to access the SFTP server via SSH, with superuser or root privileges. There, you’ll verify all your files/folders permissions and ensure they are granted correctly. Ensure you are using the correct usernames and that such usernames belong to the right group. Finally, grant read/write access for your user on those specific directories.

A quick note: There is a similar error message; the SFTP permission denied (public key). When you get this error, you cannot even access the (SSH or SFTP) server. The error message states that the server is denying access due to an incorrect public key authentication. Check the credentials (username and password) from the local client and ensure you are using the correct SSH public key. If the problem occurs network-wide, check the authorized_keys ownership and permissions on the server.

3. Fixing the SFTP permission denied error on a Windows SFTP Server

The first step to fixing the SFTP permission denied is to gather enough data on users, groups, and their permissions over specific files and directories.

• To see the users on Windows, open the Run dialog box (Win+R), type “lusrmgr.msc”, and hit enter. This action will open the Local Users and Groups snap-in. There, you’ll be able to see the Users along with their groups.

• In windows, you can also use the command “net user /domain username” to learn about those users’ users and group memberships.

• If you want to know the permission level on a specific file or folder, right-click on it, and select “Properties”.
• Go to Security > Group or user names > Permissions for “username”.
• In this window, you’ll see all the user accounts and groups with permissions for that specific file or folder. When you select a user or group, you’ll see its assigned permissions under the “Permissions for Users”.

• If you found that the file or folder doesn’t have the necessary permissions for that particular user, then that might be why the SFTP permission denied error.
• To modify permissions and ownership, click on “Advanced”.
• If you want to add a user to that specific file or folder or change “Ownership”, click on “Add”. You can also click on “Change” right after the “Owner” name.

• Click on “Select a principal”. A new window will open > “Select User or Group”.
• On the bottom blank field, enter the user's object name.

• You can find your object name using the “Check Names” option on the left.
• If you can’t find it try the following: From the local computer (SFTP client).
  • In the Windows search box, type “Computer.
  • Right-click on “This PC” and select “Properties”.
  • You’ll find the object name listed under, Computer name, domain, and workgroup settings.

4. How to solve the SFTP Permission denied on a Linux SFTP Server?

So, what do you need to fix the SFTP permission denied error on a Linux SFTP server? Start by determining the users, groups, and permission levels to specific files and directories.

• On the Linux SFTP server, access the console terminal. You can use Ctrl+Alt+T or from the Search bar via the Linux dashboard. Or use SSH if you have remote access.
• On the terminal, issue a “$whoami” command to see the current username. In addition, you can also use the command “$ groups” to identify the user's group membership.
• Use a “ls -l” command to list the files, directories, and permissions. This command will also help you see each user and their group. 

• The first column from the output represents the permission level. The third and fourth columns represent the file/directory owner username and group. And The last column is the file name, directory, or symbolic link.
• For instance, the 8th line shows a directory (d) named “jack”. This directory belongs to user “jack”, in the group “staff”. The folder has a permission level defined as “drwxr-xr-x”, which means user Jack should be able to read, write, and execute (rwx). At the group level, all members should read and execute (no write). Finally, everybody else is also allowed to read and execute (no write).

SFTP Permission Denied Solutions

If the target file or directory belongs to someone else or doesn’t allow reading, writing, and executing, you’ll need to:

• Change ownership
• Modify permissions

For both solutions described below, you’ll need superuser or root privileges in the SFTP server.

Solution 1. Change the ownership of the file or directory or change the user to a new group

First, you’ll need to determine the current owner of the file/directory (use ls -l). Then, if it is incorrectly assigned, you’ll need to change its ownership with the “chown” command.

$ ls -l

$ chown [user] [file]

• You can also assign the user to the right group to read and write the directory or file. Finally, use the “usermod” command to modify the user account by appending it (-a) to a target group (G).

$ ls -l 

$ usermod -a -G [target group]

Solution 2. Set the permissions on files or directories

Use the command “chmod” to modify the permissions on the target file or directory. The syntax of the command is as follows:

$chmod [options] [permissions] [target_file_name]

• The [permissions] on the command define the user’s (owner) permissions for the file, the group members who own the file or directory, or anyone else (others) that also plays a role on the file or directory. Permissions can be represented with alphanumeric characters or octal numbers.
• Let’s say, you as the owner of the file named TEST, want to modify the file with a new set of permissions, so that:
  • You (the user) can read, write, and execute (rwx)
  • All the group members can read and execute (rx)
  • And all others can read and execute (rx).

In alphanumeric representation:

$chmod u=rwx,g=rx,o=rx TEST

In octal numbers:

$chmod 755 TEST

As an example, if you are trying to transfer an HTML document to a server via SFTP to the directory “/usr/local/bin” and from the “ls-l” command, you found out that this directory is owned by root with permission 775, you'll only need to add your “trusted user” to the root's group.

5. Alternative ways to solve the Permission denied error

Most of the time, the SFTP permission denied error results from the poor user, groups, and permissions management. To avoid this error, you'll need to look for client/server solutions that allow you more accessible and fine-grain administration of user accounts and permissions.

If using OpenSSH for Windows (or Linux), constantly update it to the latest version. In addition, do not limit yourself to a single SFTP client solution, but try others. Try other SFTP/SSH server solutions, as some old projects are deprecated or abandoned. If possible, try SFTP client and server from the same vendor—for instance, Bitvise or Serv-U MFT.

a. The Serv-U MFT – FREE TRIAL

SolarWinds' Serv-U file Managed File Transfer is a simple and easy-to-use secure file transfer solution. The Managed File Transfer (MFT) solution supports FTP, FTPS, SFTP, HTTP, and HTTPS (over IPv4 or IPv6). In addition, it provides centralized remote file transfer management and automation capabilities from a web console.

The Serv-U MFT solution integrates with an existing Active Directory and LDAP server to help you control permissions and user access for large networks. It synchronizes all user account information and simplifies authentication. With the Serv-U MFT, you can configure limits and customize settings for all file transfer operations of users, groups, domains, and servers. Change user and groups, or modify directories, files, and permissions, all from one place.

Highlights

• Supports an unlimited number of user accounts and domains.
• Create an SSH private key or load one.
• Manage users, groups, and directories from the same console.
• Keep track of your server and domain logs for easier troubleshooting.

Download: Serv-U MFT Server is deployable on-premises. It installs on Windows or Linux platforms. Click here for a fully functional 14-day free trial.

b. Bitvise

Bitvise is an SSH end-to-end solution for Windows. It provides SSH Server and SSH Client and supports file transfer protocols SFTP and SCP. The SSH Client for Windows includes a terminal emulator, graphical and command-line file transfer, and tunneling features. The Bitvise SFTP client is compatible with a wide variety of clients.

Highlights: 

• 2FA. Implement Two-Factor Authentication (2FA) with SFTP clients.
• Create a virtual filesystem. SFTP clients can be restricted to single or multiple directories in a virtual filesystem.
• Support for virtual accounts. Bitvise allows you to create and manage virtual accounts backed by the identity of Windows accounts.
• And a lot more.

Note: Bitvise creates these virtual accounts (BvSsh_VirtualUsers) with SSH server permission, but still, it will use Windows to provide the security context for the session. So if you are logging in to the SFTP server with such accounts and haven’t updated the filesystem permissions (on the root directory), you’ll get the SFTP permission denied.

Download: Bitvise SSH Server is available to Download for a fully functional 30 days trial. Τhe limited Bitvise SSH server personal edition is offered free of charge.

6. Conclusion

In this troubleshooting guide to “SFTP permission denied,” we went through the steps of tracing and solving this infamous error. To get a hint on where to start, go to the SFTP server and analyze the permissions and ownerships of the user’s files and folders. If a user (or group) doesn’t have the necessary permissions (rwx) over their directory, then it is very likely that this is the source of the SFTP permission denied.

As per suggestions from the post, go ahead and update those permissions. Using alternative solutions such as Serv-U or Bitvise will also help you avoid mistakes when managing user and permissions (especially in Windows servers). Such solutions provide better management and more flexibility when configuring users and permissions.

SFTP Troubleshooting FAQs