View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Add/configure users to only access their sites via ssh/sftp?
Log in to Ask a Question

Add/configure users to only access their sites via ssh/sftp?

general

Is there anything in the documentation or elsewhere that demonstrates how to do the following?

1. Add a new user

2. Grant them SSH and SFTP access to only their home directory and their websites.

I host a number of client websites (e.g. /srv/www/myclient.com/public_html) on my Linode server. I now want to be able add users to my server who will have the ability to SSH ans SFTP into their websites. Being an infrequent Linux admin, I'd simply like to know how best to make this happen … and if there are any best practices I should follow in order to make sure things are as secure as possible with this scenario.

Thanks much - wg

5 Replies

By default they will have write access only to their home directories, but read access to most of everything else. If you want to prevent read access to the rest of the system, you need to look into using chroot.

This guide covers setting up SFTP jails. Note that you would need to set the appropriate home directory for the user with something like usermod -d /srv/www/myclient.com username first. The user's home directory, as well as the directories above it, must be owned by root and not writable by any other user or group.

Allowing SSH access would be considerably more involved. It requires that copies of all binaries and device nodes that the user may need be present under the user's home directory.

For the SSH case, I've used jailkit before, with good success.

There's also debootstrap. :-)

@Vance:

This guide covers setting up SFTP jails. Note that you would need to set the appropriate home directory for the user with something like usermod -d /srv/www/myclient.com username first. The user's home directory, as well as the directories above it, must be owned by root and not writable by any other user or group.

Allowing SSH access would be considerably more involved. It requires that copies of all binaries and device nodes that the user may need be present under the user's home directory.

Thanks for the link … worked perfectly.

As I'm running on a LMEP stack, with all of my sites running under www-data:www-data, will I have any problems with these SFTP users uploading files that need to be served by Nginx given that the owner will be myser:myuser?

They will be uploading, for the time being, php, html, css, javascript files.

Thanks again.

By default the files created will have read permissions for owner, group and others, so no - nginx should be serve files just fine. There may however be a problem with PHP when writing files, this happens quite a lot onhosting environments, Reading PHP will be fine, but if you need to upload stuff or things like that you'll have to set the folder where it is stored to a more open chmod. Unless of course PHP also runs on www-data.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct