chrooted sftp user with write permissions to /var/www
Posted
by
matthew
on Super User
See other posts from Super User
or by matthew
Published on 2013-11-05T05:07:47Z
Indexed on
2013/11/05
9:59 UTC
Read the original article
Hit count: 308
I am getting confused about this setup that I am trying to deploy. I hope someone of you folks can lend me a hand: much much appreciated.
Background info
Server is Debian 6.0, ext3, with Apache2/SSL and Nginx at the front as reverse proxy. I need to provide sftp access to the Apache root directory (/var/www), making sure that the sftp user is chrooted to that path with RWX permissions.
All this without modifying any default permission in /var/www.
drwxr-xr-x 9 root root 4096 Nov 4 22:46 www
Inside /var/www
-rw-r----- 1 www-data www-data 177 Mar 11 2012 file1
drwxr-x--- 6 www-data www-data 4096 Sep 10 2012 dir1
drwxr-xr-x 7 www-data www-data 4096 Sep 28 2012 dir2
-rw------- 1 root root 19 Apr 6 2012 file2
-rw------- 1 root root 3548528 Sep 28 2012 file3
drwxr-x--- 6 www-data www-data 4096 Aug 22 00:11 dir3
drwxr-x--- 5 www-data www-data 4096 Jul 15 2012 dir4
drwxr-x--- 2 www-data www-data 536576 Nov 24 2012 dir5
drwxr-x--- 2 www-data www-data 4096 Nov 5 00:00 dir6
drwxr-x--- 2 www-data www-data 4096 Nov 4 13:24 dir7
What I have tried
- created a new group secureftp
- created a new sftp user, joined to secureftp and www-data groups also with nologin shell. Homedir is /
- edited sshd_config with
Subsystem sftp internal-sftp AllowTcpForwarding no Match Group <secureftp> ChrootDirectory /var/www ForceCommand internal-sftp
I can login with the sftp user, list files but no write action is allowed. Sftp user is in the www-data group but permissions in /var/www are read/read+x for the group bit so... It doesn't work.
I've also tried with ACL, but as I apply ACL RWX permissions for the sftp user to /var/www (dirs and files recursively), it will change the unix permissions as well which is what I don't want.
What can I do here?
I was thinking I could enable the user www-data to login as sftp, so that it'll be able to modify files/dirs that www-data owns in /var/www. But for some reason I think this would be a stupid move securitywise.
© Super User or respective owner