3

can I set up

  • a secure ftp for somebody (not a current user on the system)
  • for 2 different directories on Ubuntu
  • inside public_html?

I don't want to give the user pure ssh account right now.

Any other upload,download,delete file secure way is good too. nginx is available not apache2.

dunxd
  • 9,632
  • 22
  • 81
  • 118
Radek
  • 1,153
  • 4
  • 26
  • 39

5 Answers5

5

try using scponly

Edit:

Example set-up:

1) create account for using scponly:

sudo useradd joe

2) change default shell for the account:

sudo chsh joe

answer with /usr/bin/scponly, (make sure that /usr/bin/scponly is in /etc/shells)

3) you can modify joe's home directory to /my/web/site/dir in /etc/passwd

sudo vim /etc/passwd

4) modify permissions:

sudo chgrp -R joe /my/web/site/dir
sudo chmod -R g+w /my/web/site/dir

5) If you are using AllowUsers directive in /etc/ssh/sshd_config add joe to the list of users that can log in.

6) restart ssh:

sudo /etc/init.d/ssh restart

7) test from another host:

scp web_site_stuff.html joe@site.com:
Casual Coder
  • 1,216
  • 1
  • 11
  • 12
  • @Casual Coder: I like scponly but I am not sure how I can handle the permissions. I want to give access to the installation of Wordpress but I guess I cannot change the permission from www-data to something else. So should I add this new user to www-data group? – Radek Sep 20 '10 at 09:23
  • You can create for instance scp group, change your scp-accessible dir owner:group to `www-data:scp`, and grant write permssions to scp group. – Casual Coder Sep 20 '10 at 10:07
  • would the web server work ok if I change the group permission from www-data? – Radek Sep 20 '10 at 11:51
  • user `www-data` is still the owner of the dir and has appropriate permissions. Only group have changed. – Casual Coder Sep 20 '10 at 12:03
  • Of course you can go with `www-data` group with write permission and add scpuser (in an example joe) to `www-data` group, but in my opinion it would be less secure. – Casual Coder Sep 20 '10 at 12:14
  • and this is what confuses me ... – Radek Sep 20 '10 at 12:17
  • `www-data` user(and group) is account under which your web server is running. So granting write access to that user/group should be considered carefully. Of course in cases like setting up WebDAV access, or uploading files you need to grant write access to `www-data`, but you are securing system in other ways.(in case of WebDAV: TLS + authentication; in case of uploads: separate directory outside of public path). – Casual Coder Sep 20 '10 at 12:51
  • ok, but how can I grant access to only two websites sitting inside /srv/www not to all of them? – Radek Sep 20 '10 at 22:43
1

I beleive that you could use rssh to setup a restricted shell to provide access over sftp but not over say ssh. I also beleive that you could "lock" the user to specific folders by using chroot. Here are two links that explains this further:

How to: Restrict Users to SCP and SFTP and Block SSH Shell Access with rssh

Linux Configure rssh Chroot Jail To Lock Users To Their Home Directories Only

Please note that I have actually never done this myself.

Edit: As Zoredache points out it may be a better solution to do the chrooting in the sshd config direcly, instead of doing this in the rssh config as the above link suggests.

Avada Kedavra
  • 1,294
  • 2
  • 13
  • 19
1

Make one home directory for new user then symlink other two dir. in that home dir & give that two folder appropriate permission.

user54718
  • 11
  • 1
1

finally I use Limiting Access with SFTP Jails on Debian and Ubuntu

Radek
  • 1,153
  • 4
  • 26
  • 39
0

at the end I used pure-FTPd with TLS support

Radek
  • 1,153
  • 4
  • 26
  • 39