I have a server setup with multiple sites running with nginx
/var/www/site1.com
/var/www/site2.com
I want to create chroot users so I created a group and user
addgroup sftpgroup
adduser sftpuser1 -G stfpgroup
in my sshd_config I updated with:
Subsystem sftp internal-sftp
Match Group sftpgroup
ChrootDirectory /home
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
I am able to connect sftpuser1 via sftp and see the home directory, Now I want user to have access on site's folder at
/var/www/site1.com
so I connect sftpuser1 via sftp and created a folder /home/sftpuser1/sit1.com, Than with root login I created mount:
mount --bind /var/www/sit1.com /home/sftpuser1/sit1.com
Now when I login with sftp of stfpuser1 the folder '/home/sftpuser1/sit1.com' has disappeared
But when I login with root I can see the folder in user's directory and its displaying site1.com's content.
I checked the folder permission were changed to root:root, I chown to sftpuser1:sftpuser1 but still folder doesn't appear.
When I umount folder, its visibile to stfpuser1 again.
If the owner of /var/www/ is root and others don't have permission to read from it, then all the directories inside won't be visible to them.
I was able to do so, Here are the steps it took, in sshd_config:
Subsystem sftp internal-sftp
Match Group sftpgroup
ChrootDirectory %h
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
than I created user with:
useradd -g sftpgroup -d /var/www/site1.com site1user
At this point I make sure that /var/www/site1.com is owned by root
chown root:root /var/www/site1.com
than I created another directory where user will be able to write
mkdir /var/www/site1.com/http_docs
than I changed the permission to user:
chown site1user:sftpgroup /var/www/site1.com/http_docs
than I set the user password:
passwd site1user
and all seems to working as it should.
Related
on Ubuntu 20.04
I have a WordPress site on directory /var/www/site.com/public_html/
I created a staging site inside the mail directory /var/www/site.com/public_html/stagesite
I am trying to five access only to the stagesite folder to be accessed by developer to be able to edit and update files inside.
Steps taken
created user "developer" and group "restricted" and developer user is a restricted group user
updated the folder owner and permissions sudo chown -R root:root stagesite/ && sudo chmod -R 775 /stagesite
added to the end of sshd_config file /etc/ssh/sshd_config
Match Group restricted
# Force the connection to use SFTP and chroot to the required directory.
ForceCommand internal-sftp
ChrootDirectory /var/www/mainsite.com/public_html/stagesite
# Disable tunneling, authentication agent, TCP and X11 forwarding.
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
NOW tried to connect with Filezilla, it will not connect using SFTP
I tried adding sub-directory to the ChrootDirectory to be like below but still didn't connect
/var/www/mainsite.com/public_html/stagesite/wp-content
I was only able to connect when setting ChrootDirectory to the user home directory
/home/developer
It is required that all directories from the home of the chrooted user to the root must be owned by root:root and must not be group or world writable. This is probably not the case for fileadmin home directory.
I'm using docker-compose in a WSL environment. Currently Wordpress runs in the docker composer. All files in the Projects folder are at www-data group and user which allows Wordpress to create everything and upload plugins.
But vs-code has file permission errors as soon as I want to edit files.
Switching user to and www-data groups allows vs-code to edit files but Wordpress has permission errors when uploading plugins or deleting plugins/files.
wsl.conf looks like that:
# Enable extra metadata options by default
[automount]
enabled = true
root = /windir/
options = "metadata,umask=22,fmask=11"
mountFsTab = false
# Enable DNS – even though these are turned on by default, we'll specify
here just to be explicit.
[network]
generateHosts = true
generateResolvConf = true
Using Win 11 with Ubuntu-20.04 - Kernel: 5.10.60.1 and latest docker version.
EDIT:
Still, when I want to edit stuff in Wordpress, upload Media or uploading plugins I need to sudo chown -R www-data * and if I want tot edit files in VScode I need to sudo chown -R <username> *
I had a similar issue on my local WordPress development setup. (Windows 10 + WSL2), here is a link to the git repo:
https://github.com/dorumarginean/wordpress-docker
For uploading images / plugins I updated the owner like you mentioned and for write permissions with Visual Studio Code I edited the PHP container inside my docker-compose.yml.
user: “1000:1000”
Here's what I did when I had a similar problem:
create a new group that contains both www-data and the user that runs your editor.
Let's call your local user myuser and your new group mygroup for now.
First you need to create a new group
sudo addgroup mygroup
Add both the webserver user and your user to this new group
sudo adduser myuser mygroup
sudo adduser www-data mygroup
now give the ownership of the website directory to this new group. cd to your website's directory, then
sudo chown -vR :mygroup .
grant write permission to the group
sudo chmod -vR g+w .
Check to make sure that the changes took effect with ls -ld to see the owner and the permissions of the files and groups myuser www-data to see if both users are indeed in mygroup.
Then make sure to reinitialize the user environment so the permissions coming from the new group will be updated
newgrp - mygroup
You may need to log out and log in again for the user environment to update in the GUI.
I'm setting up a new server and want to have a sftpuser for our /var/www/ directory to upload webcontent without installing a ftp server like proFTPD.
Did u can help me to do this? I just know how about with a FTP Server like proFTPD.
Best regards
Create user:
sudo useradd -d /var/www username
Set them a password:
sudo passwd username
Open the /etc/ssh/sshd_config file and append the below given code. (Remember to replace "username" with username you have created):
subsystem sftp internal-sftp
Match User username
ChrootDirectory %h
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
Restart the ssh :
sudo service ssh restart
Now it should work. There may be some ownership problems (just chown things for the user if they really need to use that).
I am using wordpress with google cloud and set it up for sftp connection. The permission to folders are 755 and files are 644. Even i have changed Cloud API access scopes to "allow full connection".
When i try to add plugin through wordpress backend it will ask me for ftp credentials unless i change to sudo chown -Rf www-data.www-data /var/www/html but then i can't upload or change any file through sftp unless i change sudo chown -R [my-user-name]:www-data /var/www/html.
So i have to change permissions every time i change something either through sftp or through backend.
I solved my problem like so.
First add your username(sftp username in mycase) in group www-data
then assign group www-data as an owner
and finally grant permission to www folder.
sudo adduser <username> www-data
sudo chown -R www-data:www-data /var/www
sudo chmod -R g+rwX /var/www
remember to restart filezilla or any sftp client you are using so the changes can take effect.
I think this one might be considerd off-topic as this is a linux permissions issue and not a Google Cloud one, and it have been answered many times. Usually done by adding your linux user to the webserver group.
Whats the simplest way to edit and add files to “/var/www”
www-data permissions?
[SOLVED] Can't Post Files to /var/www using Filezilla via SFTP on ...
I'm new to Linux (using Debian). How to make writeable dir for user and for web-server?
I connect to server via ssh, upload my files. And run next commands:
sudo chown -R www-data:www-data writeable/
sudo chmod -R g+rw writeable/
Then nginx and php (running by www-data user) writes files to writeable. Auter that i do not able to edit or delete those files.
Please help me. I know what that question was asked a million times, but i could not to find solution.
Thanks!
not sure to understand, but I guess you want your dir to be writable for user "www-data" and for another user, let's call it "medvedev".
You can put both users in a group, and grant write permissions for owner (www-data) and group.
useradd -G medvedev www-data