Ubuntu Jail FTP-User in /var/www/html with full permissions

0

On Ubuntu 18.x I want to block a user in the /var/www/ html directory

I created a user this way:

useradd ftpuser
passwd ftpuser
usermod -G www-data ftpuser
usermod -d /var/www/html ftpuser
chown ftpuser:www-data /var/www/html

Then in /etc/ssh/sshd_config

Subsystem sftp internal-sftp
    Match User ftpuser
            ChrootDirectory /var/www/html
            PasswordAuthentication yes
            X11Forwarding no
            AllowTcpForwarding no
            ForceCommand internal-sftp

Then:

chown root /var/www/*
chown root:root /var/www/html
chown ftpuser:www-data /var/www/html*

I connect and I'm stuck in the html folder. But I can not create and edit files. I want to assign full permissions to the ftpuser without the ability to level up from the html folder.

After giving the command from this answer

setfacl -m g:ftpuser:rwx /var/www/html

I can not connect anymore.

Error: Network error: Software caused connection abort
Error: Unable to connect to the server

EDIT

ls -la /var/www/html

total 28
drwxr-xr-x 4 ftpuser www-data  4096 Mar  9 14:54 .
drwxr-xr-x 3 root    root      4096 Mar  9 14:31 ..
-rw-rw-r-- 1 ftpuser ftpuser      0 Mar  9 14:54 aa
drwx------ 2 ftpuser ftpuser   4096 Mar  9 14:52 .cache
drwx------ 3 ftpuser ftpuser   4096 Mar  9 14:52 .gnupg
-rw-r--r-- 1 root    root     10918 Mar  9 14:32 index.html

giacomosilli

Posted 2019-03-09T13:56:44.797

Reputation: 1

Could you run ls -la /var/www/html and [edit] your question to include the output? It would be useful to see the actual ownership & permissions on the html directory and any subdirectories that you want these users to be able to access. – Kenster – 2019-03-09T17:13:57.313

No one knows how to solve the problem? – giacomosilli – 2019-03-12T17:22:00.873

Answers

0

ChrootDirectory /var/www/html
...
ls -la /var/www/html
drwxr-xr-x 4 ftpuser www-data  4096 Mar  9 14:54 .

The SSH server ChrootDirectory option requires that the chroot directory belong to root:

ChrootDirectory
Specifies the pathname of a directory to chroot(2) to after authentication. At session startup sshd(8) checks that all components of the pathname are root-owned directories which are not writable by any other user or group.

If you want /var/www/html to be the chroot directory, then it has to be root-owned, and it can't be group- or world-writable. The html directory may contain files and subdirectories which are writable by other users, but not the html directory itself.

Depending on what's in the /var/www directory, you might be able to make it the chroot directory.

Alternately, you could create a new directory to act as the chroot directory, then use a bind mount to make /var/www/html accessible from within the chroot directory.

Kenster

Posted 2019-03-09T13:56:44.797

Reputation: 5 474

Thanks for the reply, I understood several things. Can you tell me how to create a directory that acts as a chroot directory and use a link to make / var / www / html accessible? Or a link that tells me how to do it? Thank you – giacomosilli – 2019-03-12T20:11:28.337

Hi, any idea ? :) – giacomosilli – 2019-03-14T20:47:08.197

Asked: 2019-03-09T13:56:44.797

Viewed: 378 times

Active: 2019-03-12T18:05:49.870