I need to setup a stfp account on Ubuntu 18.04 that meets the following requirement:
- Can upload to subfolder of website i.e. example.com/subfolder/
- Uploaded files belong to www-data group so are visible to nginx
- User cannot see outside of the given directory
I did some research and found that what I needed was a Chroot.
So I tried this:
adduser --home /var/www/mysite/uploadfolder --no-create-home myusers
usermod -aG www-data myusers
chmod 2770 /var/www/mysite/uploadfolder/
chmod -R g+w /var/www/mysite/uploadfolder/
setfacl -m g:www-data:rwx /var/www/mysite/uploadfolder/
Then I added this to sshd_config:
Match User mvpdocs
ChrootDirectory /var/www/mysite/uploadfolder/
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
But this doesn't work. I did some research and OpenSSH wont allow it because the Chroot folder must be owned by root and not be group writable. If I switch the path to a root owned folder in /home directory then it works fine but I need user to upload to the sub directory.
How do I get around this issue? Can I symlink the directory and declare the symlinked directory as part of the Chroot? I saw mention this is possible but no examples.
What is easiest way for me to achieve a simple sftp account uploading to subdirectory of website?
EDIT:
I used mount --bind /var/www/mysite/uploadfolder/ /home/user/docs/ and it worked but all the files uploaded are owned by user and has user group.
How can I make them have group www-data so can be managed by webserver and php?
