Jail new user to specified folder SFTP access, disable ssh, give permision to edit www-data files, install wordpress.

May 31, 2017 1.3k views
Apache WordPress Security Ubuntu 16.04
titanium
By:
titanium

Hi guys,
as the title say, i want to give new user SFTP access to folder so he/she can install wordpress alone without root and without ssh access, and be able to edit www-data files, and also i want him to be jailed only in the folder that i will specify so he cant snoop around my server.

i tried so much tutorials from google, but in the end user cant edit files created by wordpress itself or wordpress cant install plugins, when i set the file to be owned by the user wordpress cant install plugins, if i make www-data to own the files the user cant edit them. Im going nuts here if someone has step by step tutorial on what should i do please help me.

here is my sshd.config file 


Match User user1
AllowTcpForwarding no
X11Forwarding no
ChrootDirectory %h
ForceCommand internal-sftp

my apache setup for the new subdomain is working.

Thanks in advance guys

Log In to Comment
2 Answers
hansen May 31, 2017

Hi @titanium

I would probably recommend that instead of running the site as www-data, you should run the site as that user.

That way, user1 has full control over their home directory - only accessibly thru SFTP, since you've added the ForceCommand internal-sftp.
Then you setup Nginx to point to user1 home directory - and setup the PHP-FPM pool to being run as UID user1 and GID user1.

Reply
titanium May 31, 2017

i forgot to mention that i use apache2, and from all day testing i found out that i can edit the files in filezilla but through winscp i get (Upload of file .. was successful, but error occurred while setting the permissions and/or timestamp) what is that? i thought that winscp is best for this kind of things.
How can i implement your comment in apache2?

Reply
  • hansen May 31, 2017

    @titanium I missed your reply. Use the @ to notify other users.

    So you're connecting with SFTP in both FileZilla and WinSCP? WinSCP defaults to SCP, I think, so you need to choose SFTP when connecting.

    When you connect as user1, what is the default loaded path - /home/user1/?
    Are all files in that path owned by user1?

    EDIT:

    There's no big difference between Apache and Nginx - both run as a user and both needs to point to a root directory for a site.

    DigitalOcean actually just created a tutorial less than an hour ago:
    https://www.digitalocean.com/community/tutorials/how-to-enable-sftp-without-shell-access-on-ubuntu-16-04

    How To Enable SFTP Without Shell Access on Ubuntu 16.04
    SFTP stands for SSH File Transfer Protocol. As its name suggests, it's a secure way of transferring files to a server using an encrypted SSH connection. n a standard configuration, the SSH server grants file transfer access and terminal shell access to all users with an account on the system. In this tutorial, we'll set up the SSH daemon to limit SFTP access to one directory with no SSH access allowed on per user basis.
Have another answer? Share your knowledge.

Related Questions