Question
SFTP Help; One master account with total control and multiple sub accounts with limited control.
Hello,
So I’m looking some advice on a proper sftp setup. I have already read several tutorials on D.O and surfed various forums looking for the ideal solution.
I working on creating a better environment then I currently have (apache2, mysql, php, sftp) and wanted to try out nginx, MariaDB, php, sftp, fail2ban, iptables, etc… Everything is working well but sftp, it seems to be permissions, let me breadk down.
Current environment:
- 512MB plan
- Debian 7.0x64
- Nginx
- MariaDB
- PHP
- OpenSSH
For reference I moved the the default Nginx root from /usr/share/nginx/www
to /var/www
. I have already changed all the server {}
blocks and that’s fine. I can access the root and all from my ip. The trouble comes from multiple sftp accounts and vhost (sorta, not really).
I wanted to have a master account (let’s say john) that has SSH and can access the entire server via SFTP. John is in the sudo
group and basically has all privileges besides root
, I’m connecting via FileZilla not terminal. I’m thinking this is not 100% best idea and might want to create a master ftp account with the access to /var/www
but with /usr/sbin/nologin
.
The john account can navigate all the files and create, delete, modify, etc…:
/var/www
- example.com/public_html
- example.net/public_html
- and so on....
/var/www
is currently www-data:www-data
and everything works, however, I want specific user accounts for each site.
example.com/public_html
would get “jim”
example.net/public_html
would get “jack”
and so on… They are jailed to their respected directory but have read, write.
I created a group called sftp-only, added nologin to /etc/shells
and jailed the users.
$ sudo groupadd sftp-only
$ echo "/sbin/nologin" >> /etc/shells
$ sudo usermod -g sftp-only -s /usr/sbin/nologin -d /var/www/exmaple.com <username>
$ sudo usermod -g sftp-only -s /usr/sbin/nologin -d /var/www/exmaple.net <username>
Then in sshd_config
added the Match group
$ sudo nano /etc/ssh/sshd_config
In file:
Subsystem sftp internal-sftp
Match Group sftp-only
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
However, in order for this to work I need to chown each jail directory with username:sftp-only
AND need the parent directory to be root:root
which kills my permissions:
$ sudo chown root:root /var/www
$ sudo chown <username>:sftp-only /var/www/example.com
Major issues:
/var/www
should not be owned by root but instead www-data (best practice & security)- Master ftp account can no longer act as a master account
- Child sftp-only accounts are finicky
It all comes down to permissions and I have really no idea where to go… anyone dealt with this before? I have a feeling it is simply not possible, I’m trying to keep the server as third-party free as possible but I think I might need one.
Again really looking to keep it third-party free but willing to accept any advice at this point.
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
×
Anyone?