Creating & Allowing SFTP User To Access Paricular Director

Hi,

I am using Ubuntu 12.04 and have used linode documentation to set up server.

All my websites reside in /home -> myusername -> public -> website1 or website2 or website3

How can I create an SFTP user and give him access (read/write/excecute) to ONLY website3 folder.

Kindly help me with this, will truly appreciate any help.

8 Replies

This should help http://library.linode.com/security/sftp-jails

@obs

Thanks for the post but I have checked it,

> Your users should now be able to log into their accounts via SFTP and transfer files to and from the directories located beneath their home directories, but they shouldn't be able to see the rest of the server's filesystem.

As I mentioned, all the websites resides in my username. So its like giving another user access to one particularly directory which is located under my home - > username.

Please guide me appropriately, I am new to this and need urgent help.

1. usermod -d /home/myusername/public/website1 usernameofwebsite_1

This sets the homedirectory to /home/myusername/public/website1

chown -R usernameofwebsite1:usernameof_website1 /home/myusername/public/website1/

So that user can write, make sure you own (myusername) /home/myusername/public/

I have this in the sshd_config:

Match group filetransfer

ChrootDirectory %h

X11Forwarding no

AllowTcpForwarding no

ForceCommand internal-sftp

Then, add usernameofwebsite1 to a secondary group (usermod -a -G filetransfer usernameofwebsite1)

Make sure to restart ssh and it should work like that. Haven't tested it out but I believe this is all there is to it :)

Nuh uh - no can do. The directory you chroot a user to must be owned by root and not writeable by anyone other than root.

However, look at chesty's post there, about bind mounts.

What MIGHT work:

  • Give the user a separate/private homedirectory

  • Make it root-owned and root-writable, so it can be the chroot.

  • Create a subdirectory inside

  • Bindmount your website from your homedir to that dir.

Also, you should consider moving your websites from your homedir to /srv ASAP.

What rsk said is correct you can use mounts.

I store sites in /srv/sites/sitename and chroots in /src/chroots/username them bind mount sitename to username

@rsk:

Nuh uh - no can do. The directory you chroot a user to must be owned by root and not writeable by anyone other than root.

However, look at chesty's post there, about bind mounts.

What MIGHT work:

  • Give the user a separate/private homedirectory

  • Make it root-owned and root-writable, so it can be the chroot.

  • Create a subdirectory inside

  • Bindmount your website from your homedir to that dir.

Also, you should consider moving your websites from your homedir to /srv ASAP.

Thanks - I thought it would just have to be owned by someone else, and perhaps with certain permissions set on to it. Good to know it has to be root.

Thanks rsk,

I very much followed linode documentation and ended up with this. Basically linode asked for creation of seperate super user and login ssh via that rather than using default root username. So now all my websites are at

/home/superuser/public

The owner and group named is also exactly "superuser"

What is the conventional place for putting all the websites and how do I move all my websites to that place without much fuss ?

Would really appreciate some help.

If you are hosting unrelated websites for multiple people - i.e. you are the server owner, and offer webhosting for customers or friends - putting each user's website under their home directory makes some sense, as you can then e.g. easily use the SFTP chroot jails.

However, that makes sharing access to website code between different usernames very problematic.

If your webserver has a single, primary goal, or if you need to give multiple users access to a website, it's much better to user /srv (if such directory does not exist, feel free to create it).

If you use /srv, your websites are not tied to users; however, when you're using sftp chroot, you will need to bind-mount the website directory to each user's home directory so they can reach to it from inside of the chroot.

Also, f you're granting multiple users access to website code, you may end up with some trouble when different users create files, and put different permissions on them - this can be mostly mitigated by setting up appropriate ACLs on the website directories.

For a concrete, if a bit complicated example, one of my webservers is a mix that hosts a bunch of "main" sites and some separate ones for friends.

Main ones are in /srv, and are being edited by our core team (multiple users); we have ACLs in place to minimize the permission issues, shell access, and non-chrooted sftp.

Friends have theirs inside their homedirs, and are chrooted so can't access anything outside of their homedir.

As of moving the existing website, well, depends on what the website is.

Some CMS systems are known to hardcode disk path in various places in the database, for example.

But in general - create /srv/websitename , move files from current location to there, adjust the webserver's configuration to use that directory, and see if it works. :)

If it doesn't, time to investigate.

Are the permissions on the files set so webserver can read all it needs to read, and write where it needs to write? (Be very careful about the second part, write access should be as limited as possible).

Can you see some errors referring to the old path? Then there are some references to old path in some config files of the webserver or website (or in the DB). This has to be edited.

If you're using some popular package, like Wordpress, or Drupal, or such, asking for help in their forums would give you more concrete information.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct