How to give limited SFTP access to a web developer

Question

I really don’t want to install a ftp client. How could I give SFTP access to a developer and have him limited to one directory i.e /var/www/htm/temp/

He should have full read and write access to everything above /temp Ideally, if he tries to login in via ssh it wold not allow it. I’ve read several tutorials now and tried different things with chroot, but just can’t seem to get it correct. Thanks for any help!

I’m using the latest Ubuntu LTS version.

Answer 1

Contex July 5, 2015

Create a chroot jail to fully isolate him from your system..

Alternatively, set proper permissions on the directories and usermod his user to /sbin/nologin. In addition to that, add the methods/functions you wish to disable in PHP.ini via disablefunctions (exec,shellexecpopen,system,showsource,passthru,procopen,phpinfo, etc).

Edit: I missed that you wanted SFTP as well, look into the internal-sftp subsystem of OpenSSH.

Reply Report

Answer 2

sierracircle July 5, 2015

I recommend using this method:

http://blog.netgusto.com/solving-web-file-permissions-problem-once-and-for-all/

mount the /var/www/htm/temp directory into his home directory (using the above method), and do not give his user sudo. (if you have not given him sudo yet, he wont have it by default)

that way he can ssh in all he wants but wont be able to do much of anything, but will have fill access to the /temp directory and that directory will be able to use the webserver still.

Reply Report

Answer 3

Woet July 5, 2015

Why don’t you trust your developer? What prevents him from executing shell commands through your web server?

Reply Report

Answer 4

Brohemian July 5, 2015

I just hired him from a job board and I’ve only know him for 5 minutes. I do have an image backup in the worst case. But, is there a secure way to do this?

Reply Report

Answer 5

Brohemian July 5, 2015

Thanks Contex, can you recommend a good tutorial on chroot jail?

Reply Report

Contex July 5, 2015

Chroot jailing is a bit harder than just restricting sftp usage.

For chroot jailing: http://allanfeid.com/content/creating-chroot-jail-ssh-access you could also take a look at http://olivier.sessink.nl/jailkit/

I still think restricting sftp (by using the internal-sftp subsystem) would be easier for you, as chroot jails can become frustrating if you don’t know what you’re doing. See https://bensmann.no/restrict-sftp-users-to-home-folder/ for a tutorial that could help you.
Reply Report

Answer 6

Contex July 5, 2015

Chroot jailing is a bit harder than just restricting sftp usage.

For chroot jailing: http://allanfeid.com/content/creating-chroot-jail-ssh-access you could also take a look at http://olivier.sessink.nl/jailkit/

I still think restricting sftp (by using the internal-sftp subsystem) would be easier for you, as chroot jails can become frustrating if you don’t know what you’re doing. See https://bensmann.no/restrict-sftp-users-to-home-folder/ for a tutorial that could help you.
Reply Report

Related

Question

How to give limited SFTP access to a web developer

Leave a comment

Looking for something else?

Sign up for our newsletter

Related

Question

How to give limited SFTP access to a web developer

Leave a comment

Related

question

How come my local working directory is the same as my remote working directory? Trying to use SFTP.

question

GUI for MongoDB needed to mange Meteor app

question

Why are snapshots so slow

question

Connect to DB installed into dedicated VPS (private networking)

Looking for something else?