Creating & Allowing SFTP User To Access Paricular Director
I am using Ubuntu 12.04 and have used linode documentation to set up server.
All my websites reside in /home -> myusername -> public -> website1 or website2 or website3
How can I create an SFTP user and give him access (read/write/excecute) to ONLY website3 folder.
Kindly help me with this, will truly appreciate any help.
8 Replies
Thanks for the post but I have checked it,
> Your users should now be able to log into their accounts via SFTP and transfer files to and from the directories located beneath their home directories, but they shouldn't be able to see the rest of the server's filesystem.
As I mentioned, all the websites resides in my username. So its like giving another user access to one particularly directory which is located under my home - > username.
Please guide me appropriately, I am new to this and need urgent help.
This sets the homedirectory to /home/myusername/public/website1
chown -R usernameofwebsite1:usernameof_website1 /home/myusername/public/website1/
So that user can write, make sure you own (myusername) /home/myusername/public/
I have this in the sshd_config:
Match group filetransfer
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Then, add usernameofwebsite1 to a secondary group (usermod -a -G filetransfer usernameofwebsite1)
Make sure to restart ssh and it should work like that. Haven't tested it out but I believe this is all there is to it
The directory you chroot a user to must be owned by root and not writeable by anyone other than root.
However, look at chesty's post there, about bind mounts.
What MIGHT work:
Give the user a separate/private homedirectory
Make it root-owned and root-writable, so it can be the chroot.
Create a subdirectory inside
Bindmount your website from your homedir to that dir.
Also, you should consider moving your websites from your homedir to /srv ASAP.
I store sites in /srv/sites/sitename and chroots in /src/chroots/username them bind mount sitename to username
@rsk:
Nuh uh - no can do.
The directory you chroot a user to must be owned by root and not writeable by anyone other than root.However, look at chesty's post there, about bind mounts.
What MIGHT work:
Give the user a separate/private homedirectory
Make it root-owned and root-writable, so it can be the chroot.
Create a subdirectory inside
Bindmount your website from your homedir to that dir.
Also, you should consider moving your websites from your homedir to /srv ASAP.
Thanks - I thought it would just have to be owned by someone else, and perhaps with certain permissions set on to it. Good to know it has to be root.
I very much followed linode documentation and ended up with this. Basically linode asked for creation of seperate super user and login ssh via that rather than using default root username. So now all my websites are at
/home/superuser/public
The owner and group named is also exactly "superuser"
What is the conventional place for putting all the websites and how do I move all my websites to that place without much fuss ?
Would really appreciate some help.
However, that makes sharing access to website code between different usernames very problematic.
If your webserver has a single, primary goal, or if you need to give multiple users access to a website, it's much better to user /srv (if such directory does not exist, feel free to create it).
If you use /srv, your websites are not tied to users; however, when you're using sftp chroot, you will need to bind-mount the website directory to each user's home directory so they can reach to it from inside of the chroot.
Also, f you're granting multiple users access to website code, you may end up with some trouble when different users create files, and put different permissions on them - this can be mostly mitigated by setting up appropriate ACLs on the website directories.
For a concrete, if a bit complicated example, one of my webservers is a mix that hosts a bunch of "main" sites and some separate ones for friends.
Main ones are in /srv, and are being edited by our core team (multiple users); we have ACLs in place to minimize the permission issues, shell access, and non-chrooted sftp.
Friends have theirs inside their homedirs, and are chrooted so can't access anything outside of their homedir.
As of moving the existing website, well, depends on what the website is.
Some CMS systems are known to hardcode disk path in various places in the database, for example.
But in general - create /srv/websitename , move files from current location to there, adjust the webserver's configuration to use that directory, and see if it works.
If it doesn't, time to investigate.
Are the permissions on the files set so webserver can read all it needs to read, and write where it needs to write? (Be very careful about the second part, write access should be as limited as possible).
Can you see some errors referring to the old path? Then there are some references to old path in some config files of the webserver or website (or in the DB). This has to be edited.
If you're using some popular package, like Wordpress, or Drupal, or such, asking for help in their forums would give you more concrete information.