I am getting confused about this setup that I am trying to deploy.
I hope someone of you folks can lend me a hand: much much appreciated.
Background info
Server is Debian 6.0, ext3, with Apache2/SSL and Nginx at the front as reverse proxy.
I need to provide sftp access to the Apache root directory (/var/www), making sure that the sftp user is chrooted to that path with RWX permissions.
All this without modifying any default permission in /var/www.
drwxr-xr-x 9 root root 4096 Nov 4 22:46 www
Inside /var/www
-rw-r----- 1 www-data www-data 177 Mar 11 2012 file1
drwxr-x--- 6 www-data www-data 4096 Sep 10 2012 dir1
drwxr-xr-x 7 www-data www-data 4096 Sep 28 2012 dir2
-rw------- 1 root root 19 Apr 6 2012 file2
-rw------- 1 root root 3548528 Sep 28 2012 file3
drwxr-x--- 6 www-data www-data 4096 Aug 22 00:11 dir3
drwxr-x--- 5 www-data www-data 4096 Jul 15 2012 dir4
drwxr-x--- 2 www-data www-data 536576 Nov 24 2012 dir5
drwxr-x--- 2 www-data www-data 4096 Nov 5 00:00 dir6
drwxr-x--- 2 www-data www-data 4096 Nov 4 13:24 dir7
What I have tried
- created a new group secureftp
- created a new sftp user, joined to secureftp and www-data groups also with nologin shell. Homedir is /
- edited sshd_config with
Subsystem sftp internal-sftp AllowTcpForwarding no Match Group <secureftp> ChrootDirectory /var/www ForceCommand internal-sftp
I can login with the sftp user, list files but no write action is allowed.
Sftp user is in the www-data group but permissions in /var/www are read/read+x for the group bit so… It doesn't work.
I've also tried with ACL, but as I apply ACL RWX permissions for the sftp user to /var/www (dirs and files recursively), it will change the unix permissions as well which is what I don't want.
What can I do here?
I was thinking I could enable the user www-data to login as sftp, so that it'll be able to modify files/dirs that www-data owns in /var/www.
But for some reason I think this would be a stupid move securitywise.
Best Answer
What I've done is to chroot my users to their home directories and then used
mount --bind
to create a link to it in their home directories.I then used
setfacl
to make surewww-data
maintans write permissions on new files in the directory. This effect will recurse into/var/www
, which is what you want to do.By setting
g+s
on the directory, all new files and directories created within it will inherit the group ownership from its parent.That should do the trick.
Make your mounts persistent
Obviously you want your mounts to still be there when you reboot the server. It's as simple as adding the mounts to your
/etc/fstab
. Not all providers let you touch this file, but most do.Just add lines like this:
You might want to reboot to make sure it works.