-1

I have been trying to setup ftp access on my Ubuntu 14.04 Apache2 server and so far I only have a root user. The problem I am running into is that the uploaded files are owned by this user whereas I would like them to be owned by www-data. I know that what I have been doing is not the most secure but I am not very familiar with ssh or ftp as of yet other than having used ftp clients on remote web servers.

Unique Depiction
  • 1
  • 3

1 Answers1

1

There are a number of ways to do this, this is the first one that comes to mind. Granted, this is not quite what you asked, since it doesn't allow shell access for the new user, but given the use-case presented, this does not appear to be a problem. If you need to break things up with website-vhost-specific permissions, you're going to have to find a more granular solution, but to get things working out of the gate, this will work.

Create a new user with the primary group www-data and set its password.

useradd -g www-data -d /var/www/html -s /sbin/nologin webupload
passwd webupload

-g www-data means primary group is www-data -d /var/www/html means the home directory (and thus chroot directory) is /var/www/html and -s /sbin/nologin means do not allow normal shell logins. webupload will be the new user's ID.

Edit /etc/ssh/sshd_config and comment (prepend #) the following line if it exists so it looks like this:

#Subsystem       sftp    /usr/libexec/openssh/sftp-server

Add another line to enable internal sftp service:

Subsystem       sftp    internal-sftp

At the bottom of the file but before any other Match rules you may or may not have (by default, there are none) add the following:

Match Group www-data
    ChrootDirectory %h
    AuthorizedKeysFile /etc/ssh/authorized_keys/%u
    AllowTcpForwarding no
    AcceptEnv
    X11Forwarding no
    ForceCommand internal-sftp

This means "for users logging in with group www-data, lock them in their home directory and do not allow any tcp or x11 forwarding, then force them into sftp mode."

Create the authorized keys directory

mkdir /etc/ssh/authorized_keys/

If you want to use ssh key authentication for webupload, you should create a file /etc/ssh/authorized_keys/webupload and put the public key in there as you would a regular authorized_keys file.

Now restart sshd:

service ssh restart

Try logging in with sftp with your new user. It should be able to create files as itself which are readable by www-data.

References:

Community
  • 1
Andrew Domaszek
  • 5,163
  • 1
  • 15
  • 27
  • Great. This is a little more than I expected I would have to do but it seems like it will work and was definitely a very detailed explanation. Thanks a lot! I'm going to try it a little later tonight. – Unique Depiction Mar 09 '15 at 19:56
  • I had to use this command instead "useradd -g www-data -d /var/www/html -s /sbin/nologin webupload -p passwd" and I thought I did the rest correctly but now I can't login to my other user either. – Unique Depiction Mar 09 '15 at 22:33