Creating multiple SFTP users for one account
Solution 1:
Our solution is to create a main user account for each customer, such as flowershop. Each customer can create an arbitrary number of side accounts with their own passwords, such as flowershop_developer, flowershop_tester, flowershop_dba, etc. This allows them to hand out accounts without sharing their main account password, which is better for a whole bunch of reasons (for example, if they need to remove their DBA's account, they can easily do that without changing their own passwords).
Each one of these accounts is in the flowershop group, with a home folder of /home/flowershop/. SSH uses this as the chroot directory (/home/%u, as shown in the configuration in the question).
We then use ACLs to enable every user in group flowershop to modify all files. When a new customer account is created, we set the ACLs as follows:
setfacl -Rm \
d:group:admin:rwx,d:user:www-data:r-x,d:user:$USERNAME:rwx,d:group:$USERNAME:rwx,\
group:admin:rwx, user:www-data:r-x, user:$USERNAME:rwx, group:$USERNAME:rwx \
/home/$USERNAME/
This does the following:
- Gives group
admin(for us, the hosting providers)rwx - Gives user
www-data(Apache)r-xto the files* - Gives user
$USERNAMErwxto the files - Gives group
$USERNAMErwxto the files
This setup appears to be working well for us, but we are open to any suggestions for doing it better.
* we use suexec for CGI/PHP running as the customer account
Solution 2:
Not sure how the above solution helps answer the Op's problem. If flowershop_developer logs in, he will be chroot to /home/%u i.e /home/flowershop_developer directory. And similarly for other users.
How can they see the content of /home/flowershop directory if they are jailed to their home directory?
Hopefully I'm not missing something so trivial. I have a working solution using the mount -o bind option which would allows me to mount /home/flowershop within /home/flowershop_developer but was hoping there is an easier and elegant solution.