How to give limited SFTP access to a web developer

July 5, 2015 3k views
Linux Commands LAMP Stack Ubuntu

I really don't want to install a ftp client. How could I give SFTP access to a developer and have him limited to one directory i.e /var/www/htm/temp/

He should have full read and write access to everything above /temp Ideally, if he tries to login in via ssh it wold not allow it. I've read several tutorials now and tried different things with chroot, but just can't seem to get it correct. Thanks for any help!

I'm using the latest Ubuntu LTS version.

5 Answers

Create a chroot jail to fully isolate him from your system..

Alternatively, set proper permissions on the directories and usermod his user to /sbin/nologin. In addition to that, add the methods/functions you wish to disable in PHP.ini via disablefunctions (exec,shellexecpopen,system,showsource,passthru,procopen,phpinfo, etc).

Edit: I missed that you wanted SFTP as well, look into the internal-sftp subsystem of OpenSSH.

I recommend using this method:

mount the /var/www/htm/temp directory into his home directory (using the above method), and do not give his user sudo. (if you have not given him sudo yet, he wont have it by default)

that way he can ssh in all he wants but wont be able to do much of anything, but will have fill access to the /temp directory and that directory will be able to use the webserver still.

Why don't you trust your developer? What prevents him from executing shell commands through your web server?

I just hired him from a job board and I've only know him for 5 minutes. I do have an image backup in the worst case. But, is there a secure way to do this?

Thanks Contex, can you recommend a good tutorial on chroot jail?

Have another answer? Share your knowledge.