So I am trying to create a user that only has access to a specific folder inside my public_html folder. I have successfully created the user and I am able to login. I had some troubles logging in, in the start, because the folder had to be owned by root, before the sftp user could sftp.
So I followed this guide: - instructing me to change ownership of the folder to root.
After doing this, I can successfully login, however, once I login, I am unable to add files or do anything within this folder, since it is owned by root.
I tried creating a group, and adding the root user and the sftp user as members of this group, but that didn't work either.
My work around was to create another directory inside the sftp folder, using root user, and then afterwards changing ownership to the sftp user, but this seems too hacky to me and addtionally adds another folder to the tree structure which I am not a huge fan of.
Any ideas how to allow a sftp user write access to a folder, while root remains the owner?
11 Answer
There's a lot of chatter about this kind of thing across a few stack exchange sites. But in case this is not a duplicate ...
In my CentOS 7 when you use ChrootDirectory to restrict a user to a directory, that directory has to be owned by root and it cannot allow write access to any other user either by permissions or FACLs. You can set up a symbolic link but the sftp user will not be able to follow it if s/he's restricted to a directory. So you have to do this.
Create a user
useradd ftp_user set up password
passwd ftp_user Set up permissions. His home dir is going to be his jail.
chown root:root /home/ftp_user chmod 0755 /home/ftp_user Restrict the user to that jail now
vi /etc/ssh/sshd_config Change this:
#Subsystem sftp /usr/lib/openssh/sftp-server to
Subsystem sftp internal-sftp Add
Match User ftp_user ChrootDirectory %h ForceCommand internal-sftp AllowTCPForwarding no X11Forwarding no Save and exit vi.
Don't forget:
systemctl restart sshd Now we trick them. Let's say your client has a website that your going to let him keep playing with at /var/www/corny_website
Make sure he has permissions on that directory
setfacl -m u:ftp_user:rwx /var/www/corny_website setfacl -d -m u:ftp_user:rwx /var/www/corny_website Now you mount it instead of symlink to it.
mkdir /home/ftp_user/corny_website mount --bind /var/www/corny_website /home/ftp_user/ Now when the user sftps. He won't get that broken pipe error, and he'll only be able to see /home/ftp_user and what's more, he'll only be able to upload to or download from /var/www/corny_website which he sees as /corny_website.