Need help - limit access to sftp user to other users home->subfolder

I have been able to find a lot of help with jailing a user to their own home folder and restricting them only to sftp but I working on a more advanced solution.

What I am trying to do and can't find any docs on is I want to restrict sftp access for a user but give them access to a site folder inside another user's home folder.

Two users - u1 and u2 two home folders - /home/u1 & /home/u2 u1 has a website in a subfolder - /home/u1/public_html/site1/ I want to jail u2 to user u1's site1 folder above. Could use some help on doing that.

Notes: - I can't use something like vsftpd because I have the system locked down pretty good. - user u1's site1 folder's chown is u1:www-data and I would like to be able to keep it that way if possible. I read that in order to chroot the folder has to be owned by root:root but this would screw things up on the webserver side I think. - If I need to use vsftpd I just need help understanding how to keep the system secure at the same time.

Thanks in advance for your help.

UPDATE1:

added a user u2

setup the private ssh keys

changed the /home/u2 ownership to root:root

modified the /etc/ssh/sshd_config file:

#Subsystem sftp /usr/lib/openssh/sftp-server 
Subsystem sftp internal-sftp -u 0002
Match User u2
        ChrootDirectory /home/u2
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp

added u2 to the www-data group

added a folder /home/u2/site1

binded the u1 folder I need u2 to have access to with this command:

sudo mount --bind /home/u1/public_html/site1/public /home/u2/site1

changed all permissions of all files/folders within /home/u2/site1 to include write permissions for the group:

chmod -R 775 /home/u2/site1

make all future files/folders belong to www-data:

chmod g+s /home/u2/site1/

switched to both users and made new files/folders have group write permissions:

umask 002

went in to u2 /home/u2/.bashrc AND /home/u2/.profile and added umask 002 at end of each file

Everything is working - u2 can not ssh in but can sftp in and can only see /home/u2 and above. BUT, I still can't get any new files/folders to automatically have group write permissions. Any help would be great. Thanks.

UPDATE2:

Ok, did a couple of tests. Weird results:

created a folder through sftp with u2 called test and it had the permissions rwxr-sr-x (755 right?) and was able to sftp in as u1 and was able to go into that folder but not upload a file but was able to delete that folder.

As u1 I was able to upload a file and it's permissions became rw-rw-r-- (664) like we have been trying to do. Also as u1 I created a folder named test2 and it gave the permissions of rwxrwsr-x(775) like we wanted also.

As u2 I am able to sftp into folder 2 and upload a file but the permissions are still rw-r--r-- (644) but CAN delete it with u1 sftp.

I think there is something going on with the jail or something with the u2 account not letting a certain service run or something that will let the proper umask take hold. Thoughts?

UPDATE3

Ok, tried something and it worked. Confusion for sure! Hopefully someone can explain why it worked.

In the /etc/ssh/sshd_config file I commented out the line ForceCommand internal-sftp and restarted ssh and it worked. Happy but confused. Thanks.

Match User u2
        ChrootDirectory /home/u2
        X11Forwarding no
        AllowTcpForwarding no
        #ForceCommand internal-sftp

If user u2 only needs to access /home/u1/public_html/site1 via SFTP and is not allowed to access the system in any other way: you can give him that directory as a home directory and follow normal chroot procedures.


Alternatively :

A Linux bind mount allows you to map one part of an existing file system to a second location in your directory tree. Bind mounts do not change the underlying filesystem permissions.

mkdir /home/u2/site1
mount -t bind  /home/u1/public_html/site1 /home/u2/site1

User u2 can still be chrooted and if the file system permissions would have allowed him to write in /home/u1/public_html/site1 he can now access that location on /home/u2/site1 from within his chroot.