By lflier
I have a Ubuntu 22.04 droplet with several WordPress sites. One of them requires outside technical support with FTP access.
I am able set up a user account for “techsupport” with password authentication, which can be used for FTP access to the entire droplet. But I want to restrict FTP access for this user to a single site, e.g. “/var/www/onlythissite.com”
I have tried, unsuccessfully to adapt these instructions to my situation:
By manipulating ownerships I am able to keep the tech support user out of other sites but not the rest of the file structure:
sudo chown -R techsupport:www-data /var/www/onlythissite.com
But so far I am unable to do what I really want to do, which is to restrict access for this user to this single site, while still permitting it to function as a WordPress site, and preventing access to the rest of the file structure.
Any ideas?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Accepted Answer
Heya,
So first, you need to make the home directory of the User to be /var/www/onlythissite.com
Set the directory structure and permissions: The root of the chroot directory needs to be owned by root and not writable by other users.
sudo mkdir -p /var/www/onlythissite.com
sudo chown root:root /var/www
sudo chown root:root /var/www/onlythissite.com
sudo chmod 755 /var/www
sudo chmod 755 /var/www/onlythissite.com
Create a directory inside /var/www/onlythissite.com where techsupport can write:
sudo mkdir /var/www/onlythissite.com/data
sudo chown techsupport:www-data /var/www/onlythissite.com/data
sudo chmod 775 /var/www/onlythissite.com/data
Adjust the home directory of techsupport: This is necessary for the chroot to work correctly.
sudo usermod -d /var/www/onlythissite.com techsupport
Heya, @lflier
Yes this is doable and not that hard or time consuming to set as well.
First, create a new group specifically for this WordPress site. Let’s call it “wordpress_only”.
sudo groupadd wordpress_only
Add the “techsupport” User to the New Group:**
sudo usermod -aG wordpress_only techsupport
Change the group ownership of the WordPress site directory to “wordpress_only” and restrict permissions to allow only the owner (techsupport user) and the group members (wordpress_only group) to access it.
sudo chown -R techsupport:wordpress_only /var/www/onlythissite.com sudo chmod -R 750 /var/www/onlythissite.com
For WordPress to function correctly, you also need to ensure that the web server (usually www-data) has appropriate permissions to access the files within the WordPress directory.
sudo chown -R www-data:www-data /var/www/onlythissite.com/wp-content/uploads
I assume you’re using ProFTPD. You’ll need to configure it to chroot the “techsupport” user to the WordPress site directory. Locate the ProFTPD configuration file, usually located at /etc/proftpd/proftpd.conf, and add or modify the following lines:
DefaultRoot /var/www/onlythissite.com
After making changes to the ProFTPD configuration, restart the ProFTPD service to apply the changes.
sudo systemctl restart proftpd
With that done, the “techsupport” user should only have access to the specified WordPress site directory and its subdirectories. They won’t be able to navigate outside of this directory or access other WordPress sites or system files.
Hope that this helps!
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.