Enable non root user to upload/download onto website directory

ftp chroot

I have a website in my VPS. I install Debian 7 on that VPS. My http document is located in directory /var/www/example.com I installed Nginx on that server and directory /var/www/example.com is owned by user www-data and group www-data. I want to add non root user (let's name it someone) to be able to download or upload documents onto that directory through FTP or SFTP client like FileZilla.

I found this and this guide explaining it can be done using chroot. I try to configure it but it didn't work. Here's some command that I used so far.

  1. useradd someone
  2. groupadd sftpusers
  3. usermod -G sftpusers someone
  4. vi /etc/ssh/sshd_config

I added this code

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

And at the end of file I added

Match group sftpusers
    ChrootDirectory /var/www/example.com
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp
  1. service ssh restart

But when I conected through FileZilla, it gave me error. I suspect this error due to /var/www/example.com is owned by user www-data and group www-data.

Question: How to enable non root user to be able to download or upload document onto /var/www/example.com directory through FTP or SFTP client like FileZilla. This non root user should not be able to access parent directory like /var/www/


OH for the love of all things cute & cuddly, do not set 777 permissions on ANYTHING that is accessible to world+dog (i.e. your website directories, anonymous ftp folders).

Modern Linux and BSD has per user ACLs that you can set and they work perfectly! You can use this to add rwx for specific users and specific groups as well. It's super easy to do once you understand them!

TLDR; use the setfacl command as follows #setfacl -m someuser:rwx /public_html SHAZAM! Now someuser has read/write/execute on your public_html directory I would encourage you to read the man page for setfacl or at least a HOWTO to get familiar with the functionality of it. Here's a simple introduction to filesystem ACLs: https://www.redhat.com/sysadmin/linux-access-control-lists

it's great for webservers where you need to allow specific developers who have their own accounts access without granting rwx to world+dog.

Related

Executing one task from a playbook using tags
count.index for dictionary in Ansible
OpenVPN connection resetting every 2 minutes
Outlook 2013 rules do not work after migrating mailbox to Exchange 2013
Restrict relay with postfix to certain domain from single IP
How to check IP range in nginx location?
scp failing with vast.ai
Trying to install postgis on Centos 6.9 and missing dependency libgeotiff.so.2 [closed]
Best and safe way to move a big folder
What is the permission for a IAM user to create a ECR repository?
What is reducing the MSS by 42?
Compress directory for backup