I have a Ubuntu 22.04 droplet with several WordPress sites. One of them requires outside technical support with FTP access.
I am able set up a user account for “techsupport” with password authentication, which can be used for FTP access to the entire droplet. But I want to restrict FTP access for this user to a single site, e.g. “/var/www/onlythissite.com”
I have tried, unsuccessfully to adapt these instructions to my situation:
By manipulating ownerships I am able to keep the tech support user out of other sites but not the rest of the file structure:
sudo chown -R techsupport:www-data /var/www/onlythissite.com
But so far I am unable to do what I really want to do, which is to restrict access for this user to this single site, while still permitting it to function as a WordPress site, and preventing access to the rest of the file structure.
Any ideas?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Sign up for Infrastructure as a Newsletter.
Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
Heya,
So first, you need to make the home directory of the User to be
/var/www/onlythissite.com
Set the directory structure and permissions: The root of the chroot directory needs to be owned by root and not writable by other users.
Create a directory inside
/var/www/onlythissite.com
wheretechsupport
can write:Adjust the home directory of
techsupport
: This is necessary for the chroot to work correctly.Heya, @lflier
Yes this is doable and not that hard or time consuming to set as well.
First, create a new group specifically for this WordPress site. Let’s call it “wordpress_only”.
Add the “techsupport” User to the New Group:**
Change the group ownership of the WordPress site directory to “wordpress_only” and restrict permissions to allow only the owner (techsupport user) and the group members (wordpress_only group) to access it.
For WordPress to function correctly, you also need to ensure that the web server (usually www-data) has appropriate permissions to access the files within the WordPress directory.
I assume you’re using ProFTPD. You’ll need to configure it to chroot the “techsupport” user to the WordPress site directory. Locate the ProFTPD configuration file, usually located at
/etc/proftpd/proftpd.conf
, and add or modify the following lines:After making changes to the ProFTPD configuration, restart the ProFTPD service to apply the changes.
With that done, the “techsupport” user should only have access to the specified WordPress site directory and its subdirectories. They won’t be able to navigate outside of this directory or access other WordPress sites or system files.
Hope that this helps!