Changing write permissions for jailed SFTP denies login
I have scouted over many websites and forums on how to setup an SFTP user that is jailed to a certain directory using CHROOT. Here are the steps I have followed but I can't seem to get write permissions to work.
Setup
sshd_config
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
Match group webmaster
X11Forwarding no
ChrootDirectory %h
AllowTcpForwarding no
ForceCommand internal-sftp
Create Folder
mkdir /var/www/sites
Create User and Group
useradd uploader
passwd uploader
usermod -d /var/www/sites uploader
groupadd webmaster uploader
groupadd www-data uploader
Permissions and Ownership
chown root:root /var/www
chmod 755 /var/www/sites
Now with these settings the user uploader is able to SFTP into the home directory but is unable to write to the directory.
There are 2 typical errors that occur, I either can't login or I don't have write permissions.
Login Error
Error: Network error: Software caused connection abort
Error: Could not connect to server
Changing permissions of /var/www/sites to 775 or 777 causes login error.
chown /var/www/sites to uploader:root causes login error.
chwon root:webmaster or root:www-data I have no write permissions
I am at odds end trying to figure this out and if anyone could point me into the right direction I would be greatly appreciate it.
Thank you.
Solution 1:
Found out the solution. The user is jailed to /var/www/sites
. I then created another folder /var/www/sites/site1
.
I use:
chown root:webmaster /var/www/sites/site1
chmod 775 /var/www/sites/site1
This enabled the home directory to have the correct permissions to login and then be able to write to the next folder up.
If the user needs write access to /var/www/sites
, then you must jail the user at /var/www
which has root:root
ownership and permissions of 755. You then need to give /var/www/sites
ownership of root:(your group) and permissions of 775.
Solution 2:
Maybe the greatest solution is:
mkdir /var/www/sites/myfirstuser/hisownsite
mkdir /var/www/sites/myseconduser/hisownsite
...
chown root:root /var/www/sites /var/www/sites/{myfirstuser,myseconduser} && chmod 755 /var/www/sites/{myfirstuser,myseconduser}
chmod 775 /var/www/sites/myfirstuser/hisownsite
chmod 775 /var/www/sites/myseconduser/hisownsite
chgrp www-data /www/sites/myfirstuser/hisownsite /var/www/sites/myseconduser/hisownsite
Add the users:
useradd -d /var/www/sites/myfirstuser -s /bin/false -g www-data dev1
useradd -d /var/www/sites/myseconduser -s /bin/false -g www-data dev2
passwd dev1
passwd dev2
Then, for each user you have created, add an ssh tag like this: (you could also use the "Match Group" directive as in your example instead of "Match User")
Match User dev1
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
Match user dev2
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
So you can manage all users you need in a chrooted environment.
Hth, Fabrizio