Help with SFTP only access on our webserver
-
Ok, so I have a user setup for SFTP only access, and I have this in the SSH config file:
#Subsystem sftp /usr/lib/openssh/sftp-server Subsystem sftp internal-sftp Match Group sftpgroup ChrootDirectory /var/www/sites/site.domain.com/%u ForceCommand internal-sftp X11Forwarding no AllowTcpForwarding noThe user is created by using this command:
adduser <user> --ingroup sftpgroup --shell /bin/nologinThey can SFTP in, and they get dumped into the right folder (their username folder) but they cannot create folder or files, they have read only access if I change the permissions on their folder, then I cannot connect and if I change the path of the ChrootDirectory to be one folder up they can then get into their folder and do what is needed, however they then have access (read and execute) on all the other user folders.
And I do not want to add a subfolder under their folder for them write to, that would end with their site being site.domain.com/user/folder, which is silly.
Any suggestions on how I can get this working?
-
@jrc said in Help with SFTP only access on our webserver:
Ok, so I have a user setup for SFTP only access, and I have this in the SSH config file:
Match Group sftpgroup ChrootDirectory /var/www/sites/site.domain.com/%u ForceCommand internal-sftp X11Forwarding no AllowTcpForwarding noThe user is created by using this command:
adduser <user> --ingroup sftpgroup --shell /bin/nologinThey can SFTP in, and they get dumped into the right folder (their username folder) but they cannot create folder or files, they have read only access if I change the permissions on their folder, then I cannot connect and if I change the path of the ChrootDirectory to be one folder up they can then get into their folder and do what is needed, however they then have access (read and execute) on all the other user folders.
And I do not want to add a subfolder under their folder for them write to, that would end with their site being site.domain.com/user/folder, which is silly.
Any suggestions on how I can get this working?
What are the permissions on /var/www/sites/site.domain.com/%u ?
-
they are set to 755 and chowned to root:root, anything else and you cannot connect.
-
@jrc said in Help with SFTP only access on our webserver:
they are set to 755 and chowned to root:root, anything else and you cannot connect.
Hmm... That may be part of the issue.
What if you chown the user's folder to root:sftpgroup ?
And set the permissions to 775 ?
-
I tried that, and the user could not connect at all.
-
In my experience the default behavior is to not allow the user of a chroot jail the ability to write to the root of the jail. There may be a way around this (I have a CentOS SFTP server that allows my chroot jailed users to write to the root of the jail (say that 5 times fast), but in helping @jrc offline Ubuntu seems to play less nice.
So, my suggestion is to create a directory specific for jails, like "/var/jails/<user>"
Set the chroot jail to the permissions the system is expecting (755 root:root).
Create a symlink in the jail that points the user to the folder they need access to (making sure the folder at the other end of the symlink has the appropriate permissions, of course).
In theory this should work...but we will see.
-
With help from @anthonyh we were able to come up with a work around.
I set the user's home folder (/home/<user>) as the CHroot path, set that as root:root with 755 permissions. Then I created a bind mount to a subfolder called website (so /home/<user>/website is a bind mount for /var/www/sites/site.domain.com/<user>), then chowned that folder to <user>:root with 755 permissions.
Now they can SFTP in, and change to the website folder and put their stuff there. No more seeing all the other users and folders.
For the record here is my SSHD config lines:
#Subsystem sftp /usr/lib/openssh/sftp-server Subsystem sftp internal-sftp Match Group sftpgroup ChrootDirectory /home/%u # or %h either would work ForceCommand internal-sftp X11Forwarding no AllowTcpForwarding noAnd the steps I used to get this working:
- Create the user:
sudo adduser <user> --ingroup sftpgroup --shell /bin/nologin - Create a folder to house their site and set the permission:
sudo mkdir /var/www/sites/site.domain.com/<user>
sudo chown <user>:root /var/www/site/site.domain.com/<user> - Create the bind mount for their CHRoot jail home
sudo mkdir /home/<user>/website
sudo mount --bind /var/www/site/site.domain.com/<user> /home/<user>/website - Set the permissions on the CHRoot jail
sudo chown root:root /home/<user> - Add the mount points to fstab so that they persist through reboots
sudo nano /etc/fstab
Add/var/www/site/site.domain.com/<user> /home/<user>/website none rw,bind 0 0
It's not as neat as I'd like it, but it works.
- Create the user:
-
@jrc Glad you were able to find a solution!
