5

I'm currently setting up apache on a Linux server and need to create a new user which can log in and only edit files in a particular directory.

I currently have my website set-up as

/data/htdocs/mywebsite/

The permissions on this are apache:apache

Now what I need to do is create a new user "joeblogs" and restrict this user to only access /data/htdocs/mywebsite/store/

The users should be able to SSH in and also SFTP, but always be directed directly to this folder, also the user should be able to have full access to the /store/ folder but not be able to see any other folders or files on the system/

Any help on this would be appreciated I have been running round in circles for hours.

user9517
  • 115,471
  • 20
  • 215
  • 297
MonkeyBlue
  • 163
  • 1
  • 5

1 Answers1

1

SSH has the capability to chroot a user built-in (since 4.9p1), but using it for interactive sessions is somewhat difficult.

Restricting sftp is fairly easy though, and can be configured on a per user, or per group basis

Match User joeblogs
    ChrootDirectory /data/htdocs/mywebsite/store/
    ForceCommand internal-sftp
    AllowTcpForwarding no

Interactive sessions are more complex, because the user needs a shell, and some device files to be present.

From man 5 sshd_config:

The ChrootDirectory must contain the necessary files and directories to support the user's session. For an interactive session this requires at least a shell, typically sh(1), and basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4), arandom(4) and tty(4) devices

I wouldn't recommend this, as you would need to build and maintain a copy of any utilities they need within their chroot. If you still want to try going this route, you can read more about it the sshd_config man page, and here

JimB
  • 1,924
  • 12
  • 15