I am getting confused about this setup that I am trying to deploy. I hope someone of you folks can lend me a hand: much much appreciated.

Background info

Server is Debian 6.0, ext3, with Apache2/SSL and Nginx at the front as reverse proxy. I need to provide sftp access to the Apache root directory (/var/www), making sure that the sftp user is chrooted to that path with RWX permissions.

All this without modifying any default permission in /var/www.

drwxr-xr-x  9 root root  4096 Nov  4 22:46 www

Inside /var/www

-rw-r----- 1 www-data www-data     177 Mar 11  2012 file1
drwxr-x--- 6 www-data www-data    4096 Sep 10  2012 dir1
drwxr-xr-x 7 www-data www-data    4096 Sep 28  2012 dir2
-rw------- 1 root     root          19 Apr  6  2012 file2
-rw------- 1 root     root     3548528 Sep 28  2012 file3
drwxr-x--- 6 www-data www-data    4096 Aug 22 00:11 dir3
drwxr-x--- 5 www-data www-data    4096 Jul 15  2012 dir4
drwxr-x--- 2 www-data www-data  536576 Nov 24  2012 dir5
drwxr-x--- 2 www-data www-data    4096 Nov  5 00:00 dir6
drwxr-x--- 2 www-data www-data    4096 Nov  4 13:24 dir7

What I have tried

1. created a new group secureftp
2. created a new sftp user, joined to secureftp and www-data groups also with nologin shell. Homedir is /
3. edited sshd_config with

Subsystem sftp internal-sftp 
AllowTcpForwarding no 
Match Group <secureftp> 
      ChrootDirectory /var/www 
      ForceCommand internal-sftp

I can login with the sftp user, list files but no write action is allowed. Sftp user is in the www-data group but permissions in /var/www are read/read+x for the group bit so... It doesn't work.

I've also tried with ACL, but as I apply ACL RWX permissions for the sftp user to /var/www (dirs and files recursively), it will change the unix permissions as well which is what I don't want.

What can I do here?

I was thinking I could enable the user www-data to login as sftp, so that it'll be able to modify files/dirs that www-data owns in /var/www. But for some reason I think this would be a stupid move securitywise.