Skip to content

Instantly share code, notes, and snippets.

@patrocle

patrocle/Chroot SFTP user with www-data rights.md

Last active December 11, 2018 23:11
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save patrocle/b90fec76dc86c11ea89a1463eb2489a5 to your computer and use it in GitHub Desktop.
Save patrocle/b90fec76dc86c11ea89a1463eb2489a5 to your computer and use it in GitHub Desktop.
Download ZIP
SFTP MYUSER will have all rights to create files/folders with www-data as owner and group in /var/www
Raw
Chroot SFTP user with www-data rights.md

Debian tips to chroot a user in it's home and add rights for www-data

STEP 1

sudo apt-get -y install bindfs

STEP 2

sudo mkdir -p /home/MYUSER/www
sudo chown -Rf MYUSER:MYUSER /home/MYUSER/www  
sudo chmod -Rf 755 /home/MYUSER/www

STEP 3

edit /etc/fstab and bind /home/MYUSER/www with /var/www, so any new folder in /home/MYUSER/www will appear with the www-data rights in /var/www

Perms will be 755 for directories and 644 for files with www-data as owner and group
sudo vim /etc/fstab

And add one line (it's for auto mount at boot):

bindfs#/var/www /home/MYUSER/www fuse force-user=MYUSER,force-group=MYUSER,create-for-user=www-data,create-for-group=www-data,create-with-perms=god=rx:ud=rwx:gof=r:uf=rw,chgrp-ignore,chown-ignore,chmod-ignore 0 0

STEP 4

Reboot server or manual mount as you want

sudo reboot

or

sudo mount /home/MYUSER/www

STEP 5

sudo apt-get install vsftpd
sudo vim /etc/vsftpd.conf

and change with

local_enable=YES
write_enable=YES
local_umask=022
chroot_local_user=YES

STEP 6

sudo vim /etc/ssh/sshd_config

comment 'openssh' line and add after 'UsePAM yes' the 'internal-sftp' lines and change

UsePAM yes
UseDNS no

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem  sftp  internal-sftp
Match user MYUSER
    ChrootDirectory /home/MYUSER
    ForceCommand internal-sftp
AllowTcpForwarding no

STEP 7

sudo service vsftpd restart
sudo service ssh restart

Login with MYUSER with sftp and create a file or folder in www folder, it will appear in /var/www with www-data owner and group ;-) You can edit all www-data files/folders in /var/www as well !

base source : http://blog.netgusto.com/solving-web-file-permissions-problem-once-and-for-all/

@TCB13
Copy link

TCB13 commented Dec 11, 2018

Currently you don't need to install vsftpd due to some recent changes in OpenSSH. Just edit your /etc/ssh/sshd_config to be similar to:

Subsystem	sftp	internal-sftp

Match group choroot-sftp
	ChrootDirectory /home_chrooted/%u
	PermitTunnel no
	X11Forwarding no
	AllowTcpForwarding no
	ForceCommand internal-sftp -u 022
	PasswordAuthentication yes

Note that I'm actually adding all my users to the group choroot-sftp for convenience so you need to create it with groupadd choroot-sftp. UsePAM yes is not needed.

I'm creating the users with the following:

useradd -N -g choroot-sftp -b /home_chrooted -m -s /usr/sbin/nologin userA

This ensures: a) they all share the choroot-sftp group, instead of a group with their username, b) their home dirs are at /home_chrooted and c) they can't login to SSH (only SFTP). You can set their password using passwd userA as root.

To make this work you also need to change the owner and group of the user home folder to root:root:

chown root:root /home_chrooted/userA

To add some Apache virtual host directory to their home I'm doing:

cd /home_chrooted/userA
mkdir -p webroot/virtualhost.tld

Then I just add it to fstab as:

bindfs#/var/www-vhosts/virtualhost.tld /home_chrooted/userA/webroot/virtualhost.tld fuse force-user= userA,force-group=choroot-sftp,create-for-user=www-data,create-for-group=www-data,create-with-perms=god=rx:ud=rwx:gof=r:uf=rw,chgrp-ignore,chown-ignore,chmod-ignore 0 0

WARNING: DO NOT REMOVE USER HOME DIRS BEFORE UNMOUNTING!!
Always remove user homes with rm --one-file-system. Not following this recommendation might delete your virtual host form the original / source directory.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment