Ubuntu Server 12.04
I need to allow the user offlineuser
to upload files to the var/www/mysite/web/
directory only. This directory acts as a site root as well as an upload location (legacy setup).
Within my /etc/ssh/sshd_config
file:
With the following commented out , they can upload anywhere. As soon as I uncomment this, they cannot connect at all.
AllowUsers offlineuser ubuntu
Subsystem sftp internal-sftp
Match Group sftponly
ChrootDirectory /var/www/mysite/web/%u
ForceCommand internal-sftp
PasswordAuthentication no
X11Forwarding no
AllowTcpForwarding no
offlineuser is a member of sftponly group
This was taken from : Chroot SFTP connection and OpenSSH SFTP chroot() with ChrootDirectory
UPDATE1
:pam_unix(sshd:session): session opened for user offlineuser by (uid=0)
: fatal: bad ownership or modes for chroot directory component "/var/www/mysite/"
: pam_unix(sshd:session): session closed for user offlineuser
So, this is pretty clear , but do I really have to chown the dir to offlineuser? Will that not cause issues if www-data wants to write to it (which is likely?)
Best Answer
From the sshd_config manpage:
It seems that all parent directories must be only writeable as root, even for SFTP. If this is not possible I would suggest moving the directory elsewhere (e.g.
/home/web/offlineuser
), and then symlinking/bind-mounting it into place.