0

I have a website in my VPS. I install Debian 7 on that VPS. My http document is located in directory /var/www/example.com I installed Nginx on that server and directory /var/www/example.com is owned by user www-data and group www-data. I want to add non root user (let's name it someone) to be able to download or upload documents onto that directory through FTP or SFTP client like FileZilla.

I found this and this guide explaining it can be done using chroot. I try to configure it but it didn't work. Here's some command that I used so far.

  1. useradd someone
  2. groupadd sftpusers
  3. usermod -G sftpusers someone
  4. vi /etc/ssh/sshd_config

I added this code

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

And at the end of file I added

Match group sftpusers
    ChrootDirectory /var/www/example.com
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp
  1. service ssh restart

But when I conected through FileZilla, it gave me error. I suspect this error due to /var/www/example.com is owned by user www-data and group www-data.

Question: How to enable non root user to be able to download or upload document onto /var/www/example.com directory through FTP or SFTP client like FileZilla. This non root user should not be able to access parent directory like /var/www/

user3195859
  • 13
  • 1
  • 4
  • Check the directory permissions, say `ls -ltr /var/www/example.com` and see that allows *someone* user browse the above directory or not. – Rao Feb 26 '15 at 08:23

3 Answers3

2

OH for the love of all things cute & cuddly, do not set 777 permissions on ANYTHING that is accessible to world+dog (i.e. your website directories, anonymous ftp folders).

Modern Linux and BSD has per user ACLs that you can set and they work perfectly! You can use this to add rwx for specific users and specific groups as well. It's super easy to do once you understand them!

TLDR; use the setfacl command as follows #setfacl -m someuser:rwx /public_html SHAZAM! Now someuser has read/write/execute on your public_html directory I would encourage you to read the man page for setfacl or at least a HOWTO to get familiar with the functionality of it. Here's a simple introduction to filesystem ACLs: https://www.redhat.com/sysadmin/linux-access-control-lists

it's great for webservers where you need to allow specific developers who have their own accounts access without granting rwx to world+dog.

t3ln3t
  • 434
  • 2
  • 8
0

this is how i set my sftp for specific user

1] create a user

 adduser {USER}

2] edit /etc/ssh/sshd_config

 PasswordAuthentication yes 

 Subsystem sftp
 internal-sftp -u 0007 -f AUTH -l VERBOSE 
 Match Group {USER}
     ChrootDirectory {FOLDER}
     ForceCommand internal-sftp -u 0007
     AllowTcpForwarding no
     GatewayPorts no
     X11Forwarding no

3] set rights for the user

 chmod -R 777 {FOLDER}

4] restart ssh 

service ssh restart

replace {USER} by your user and {FOLDER} by your folder and it should works ! ;)

Froggiz
  • 3,043
  • 1
  • 19
  • 30
-1

Alright, after trial and error, it seems here's the answer.

  1. adduser someone

  2. vi /etc/ssh/sshd_config I am using Froggiz's configuration, so my code looks like this:

    PasswordAuthentication yes 

Subsystem sftp internal-sftp -u 0007 -f AUTH -l VERBOSE 
     Match Group someone
     ChrootDirectory /var/www
     ForceCommand internal-sftp -u 0007
     AllowTcpForwarding no
     GatewayPorts no
     X11Forwarding no

  3. service ssh restart

  4. chmod -R 777 /var/www/example.com . This will enable someone to upload/download file and allow webserver/php to process files in this directory.
user3195859
  • 13
  • 1
  • 4