Ubuntu – SFTP – Allow user to upload to www only

sftpsshUbuntu

Ubuntu Server 12.04

I need to allow the user offlineuser to upload files to the var/www/mysite/web/ directory only. This directory acts as a site root as well as an upload location (legacy setup).

Within my /etc/ssh/sshd_config file:

With the following commented out , they can upload anywhere. As soon as I uncomment this, they cannot connect at all.

AllowUsers offlineuser ubuntu

Subsystem       sftp    internal-sftp

Match Group sftponly
        ChrootDirectory /var/www/mysite/web/%u       
        ForceCommand internal-sftp
        PasswordAuthentication no
        X11Forwarding no
        AllowTcpForwarding no

offlineuser is a member of sftponly group

This was taken from : Chroot SFTP connection and OpenSSH SFTP chroot() with ChrootDirectory

UPDATE1

:pam_unix(sshd:session): session opened for user offlineuser by (uid=0)

: fatal: bad ownership or modes for chroot directory component "/var/www/mysite/"

: pam_unix(sshd:session): session closed for user offlineuser

So, this is pretty clear , but do I really have to chown the dir to offlineuser? Will that not cause issues if www-data wants to write to it (which is likely?)

Best Answer

From the sshd_config manpage:

Specifies the pathname of a directory to chroot(2) to after authentication. All components of the pathname must be root-owned directories that are not writable by any other user or group. After the chroot, sshd(8) changes the working directory to the user's home directory.

It seems that all parent directories must be only writeable as root, even for SFTP. If this is not possible I would suggest moving the directory elsewhere (e.g. /home/web/offlineuser), and then symlinking/bind-mounting it into place.

Related Solutions

Linux – Creating multiple SFTP users for one account

Our solution is to create a main user account for each customer, such as flowershop. Each customer can create an arbitrary number of side accounts with their own passwords, such as flowershop_developer, flowershop_tester, flowershop_dba, etc. This allows them to hand out accounts without sharing their main account password, which is better for a whole bunch of reasons (for example, if they need to remove their DBA's account, they can easily do that without changing their own passwords).

Each one of these accounts is in the flowershop group, with a home folder of /home/flowershop/. SSH uses this as the chroot directory (/home/%u, as shown in the configuration in the question).

We then use ACLs to enable every user in group flowershop to modify all files. When a new customer account is created, we set the ACLs as follows:

setfacl -Rm \
d:group:admin:rwx,d:user:www-data:r-x,d:user:$USERNAME:rwx,d:group:$USERNAME:rwx,\
  group:admin:rwx,  user:www-data:r-x,  user:$USERNAME:rwx,  group:$USERNAME:rwx \
/home/$USERNAME/

This does the following:

Gives group admin (for us, the hosting providers) rwx
Gives user www-data (Apache) r-x to the files*
Gives user $USERNAME rwx to the files
Gives group $USERNAME rwx to the files

This setup appears to be working well for us, but we are open to any suggestions for doing it better.

_{* we use suexec for CGI/PHP running as the customer account}

Ubuntu – Secure SFTP Configuration that Allows SFTP User Write Access

No sooner had I posed this, I found a solution.

Create a directory under the chroot directory, e.g. something like

/home/myuser/transfer

That directory can be writable by the user.

Best Answer

Related Solutions

Linux – Creating multiple SFTP users for one account

Ubuntu – Secure SFTP Configuration that Allows SFTP User Write Access

Related Topic