Jail user to home directory while still allowing permission to create and delete files/folders

I'm trying to give a client SFTP access to the root directory of their site on my server (Ubuntu 10.10) so they can manager their website themselves.

While I have been successful in jailing a user to a directory and giving them SFTP access; they are only allowed to create and delete new files in sub directories (the directories they own). This means that I must give them access to the parent directory to the root of their site.

So far I have followed the instructions in this tutorial as follows:

addgroup filetransfer
usermod -G filetransfer username
chown root:root /home/username
chmod 755 /home/username
cd /home/username
mkdir docs public_html
chown username:username *

How can I limit them to the root of their site (for example public_html) while still allowing them the ability create and delete files. All the tutorials I have read suggest that the root must be the owner of the user's home directory, which prevents them from write access inside that directory.

I'm relatively new to managing my own server so any advice would be very grateful.

Many thanks.

limitlessloop

Posted 2012-03-28T13:31:19.117

Reputation: 161

Answers

You should tell what you've done exactly to achieve this. If you're not already, you should probably try to use chroot (advices here: http://www.unixwiz.net/techtips/chroot-practices.html).

For your specific problem, you need to provide your users with write permission on their root folder. Either set them as owners and make sure write permission is set. I'm not sure why this would be such a bad idea:

# chown someuser /user/root/folder
# chmod u+w /user/root/folder

Or if you want to keep root as the owner, you could do it with a group:

# addgroup somegroup
# adduser someuser somegroup
# chgrp somegroup /user/root/folder
# chmod g+w /user/root/folder

EDIT

As comments mention in the provided link, it appears that root has to be the owner of the concerned directory for chroot to work correctly. But nothing seems to prevent changing the group. So following this tutorial's namings, this could do the trick:

# chown root:filetransfer /home/username
# chmod 775 /home/username

Notice how the permissions are now 775 and not 755, this gives write permission to all users belonging to the filetransfer group.

EDIT 2

No, that's not enough. Maybe this is just not feasible.

Laurent Couvidou

Posted 2012-03-28T13:31:19.117

Reputation: 155

Thanks for your advice. On line 3 of your second example are you changing the group associated with the folder? And on line 4 I presume this gives the group write access to the folder? I've added a reference to one of the methods I've tried to jail the user and give them SFTP access to give you a base line of what I've done so far. – limitlessloop – 2012-03-28T19:33:35.507

1Both your assumptions are right. According to a comment in your link (Ryan's), the directory should be owned by the root account but changing the group might be OK. So the group trick might work, I edited my answer above. – Laurent Couvidou – 2012-03-28T20:47:53.747

Hi, thanks. After spending a few hours reading some more articles regarding chroot and trying your suggestions it seems that when you give the group access to the chroot directory SFTP denies the user access to the directory. The error I get in one FTP client is "Could not open channel (Closing all channels)." At one point I thought I had it working but I'm not sure if that was something fishy going on with my FTP client. – limitlessloop – 2012-03-28T23:29:14.243

Reading some more it seems that sshd is quite strict on who it allows access. If it detects permissions from any other user it denies access. https://wiki.archlinux.org/index.php/SFTP-chroot

– limitlessloop – 2012-03-28T23:36:11.520

OK, so you need somebody that knows more about that than myself. Maybe this is just not possible with chroot and sftp? I've got an SFTP access to a Gandi simple hosting instance => no way to create files or directories at root. – Laurent Couvidou – 2012-03-29T09:16:31.397

Really appreciate your time though. I know a lot more about chown and chgrp :) Thanks for your help. – limitlessloop – 2012-03-29T09:52:43.147

For Ubuntu system --

I used this command with these arguments:

sudo useradd -d /home/node -m node

And then tested it with this username and sftp into ssh - I was successfully jailing this username, and a bin/shell skelton is given to that username but with limited function.

This is the most simple and best solution that I came across just few nights ago.

Faron

Posted 2012-03-28T13:31:19.117

Reputation: 257