Related

Join the DigitalOcean Community Community

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner
 Join Now
How come my local working directory is the same as my remote working directory? Trying to use SFTP. Question Question
GUI for MongoDB needed to mange Meteor app Question Question

Question

How to give limited SFTP access to a web developer

Posted July 5, 2015 11k views
UbuntuLAMP StackLinux Commands

I really don’t want to install a ftp client. How could I give SFTP access to a developer and have him limited to one directory i.e /var/www/htm/temp/

He should have full read and write access to everything above /temp Ideally, if he tries to login in via ssh it wold not allow it. I’ve read several tutorials now and tried different things with chroot, but just can’t seem to get it correct. Thanks for any help!

I’m using the latest Ubuntu LTS version.

Add a comment
Brohemian
By:
Brohemian

Related

Join the DigitalOcean Community Community

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner
 Join Now
How come my local working directory is the same as my remote working directory? Trying to use SFTP. Question Question
GUI for MongoDB needed to mange Meteor app Question Question

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
5 answers
Contex July 5, 2015

Create a chroot jail to fully isolate him from your system..

Alternatively, set proper permissions on the directories and usermod his user to /sbin/nologin. In addition to that, add the methods/functions you wish to disable in PHP.ini via disablefunctions (exec,shellexecpopen,system,showsource,passthru,procopen,phpinfo, etc).

Edit: I missed that you wanted SFTP as well, look into the internal-sftp subsystem of OpenSSH.

Reply Report
sierracircle July 5, 2015

I recommend using this method:

http://blog.netgusto.com/solving-web-file-permissions-problem-once-and-for-all/

mount the /var/www/htm/temp directory into his home directory (using the above method), and do not give his user sudo. (if you have not given him sudo yet, he wont have it by default)

that way he can ssh in all he wants but wont be able to do much of anything, but will have fill access to the /temp directory and that directory will be able to use the webserver still.

Reply Report
Woet July 5, 2015

Why don’t you trust your developer? What prevents him from executing shell commands through your web server?

Reply Report
Brohemian July 5, 2015

I just hired him from a job board and I’ve only know him for 5 minutes. I do have an image backup in the worst case. But, is there a secure way to do this?

Reply Report
Brohemian July 5, 2015

Thanks Contex, can you recommend a good tutorial on chroot jail?

Reply Report

Related

Looking for something else?

Ask a new question Search for more help