chrooted sftp user with write permissions to /var/www

10

11

I am getting confused about this setup that I am trying to deploy. I hope someone of you folks can lend me a hand: much much appreciated.

Background info

Server is Debian 6.0, ext3, with Apache2/SSL and Nginx at the front as reverse proxy. I need to provide sftp access to the Apache root directory (/var/www), making sure that the sftp user is chrooted to that path with RWX permissions.

All this without modifying any default permission in /var/www.

drwxr-xr-x  9 root root  4096 Nov  4 22:46 www

Inside /var/www

-rw-r----- 1 www-data www-data     177 Mar 11  2012 file1
drwxr-x--- 6 www-data www-data    4096 Sep 10  2012 dir1
drwxr-xr-x 7 www-data www-data    4096 Sep 28  2012 dir2
-rw------- 1 root     root          19 Apr  6  2012 file2
-rw------- 1 root     root     3548528 Sep 28  2012 file3
drwxr-x--- 6 www-data www-data    4096 Aug 22 00:11 dir3
drwxr-x--- 5 www-data www-data    4096 Jul 15  2012 dir4
drwxr-x--- 2 www-data www-data  536576 Nov 24  2012 dir5
drwxr-x--- 2 www-data www-data    4096 Nov  5 00:00 dir6
drwxr-x--- 2 www-data www-data    4096 Nov  4 13:24 dir7

What I have tried

  1. created a new group secureftp
  2. created a new sftp user, joined to secureftp and www-data groups also with nologin shell. Homedir is /
  3. edited sshd_config with
Subsystem sftp internal-sftp 
AllowTcpForwarding no 
Match Group <secureftp> 
      ChrootDirectory /var/www 
      ForceCommand internal-sftp

I can login with the sftp user, list files but no write action is allowed. Sftp user is in the www-data group but permissions in /var/www are read/read+x for the group bit so... It doesn't work.

I've also tried with ACL, but as I apply ACL RWX permissions for the sftp user to /var/www (dirs and files recursively), it will change the unix permissions as well which is what I don't want.

What can I do here?

I was thinking I could enable the user www-data to login as sftp, so that it'll be able to modify files/dirs that www-data owns in /var/www. But for some reason I think this would be a stupid move securitywise.

bashintosh

Posted 2013-11-05T05:07:47.380

Reputation: 103

I dont think it is possible without changing the permission. – Unnikrishnan – 2013-11-05T05:19:29.813

Answers

15

What I've done is to chroot my users to their home directories and then used mount --bind to create a link to it in their home directories.

I then used setfacl to make sure www-data maintans write permissions on new files in the directory. This effect will recurse into /var/www, which is what you want to do.

By setting g+s on the directory, all new files and directories created within it will inherit the group ownership from its parent.

useradd someuser
mkdir -p /home/someuser/www
mount --bind /var/www /home/someuser/www
chmod g+s /home/someuser/www
chown -R someuser:www-data /home/someuser/www
setfacl -d -m g::rwx /home/someuser/www

That should do the trick.

Make your mounts persistent

Obviously you want your mounts to still be there when you reboot the server. It's as simple as adding the mounts to your /etc/fstab. Not all providers let you touch this file, but most do.

Just add lines like this:

/var/www        /home/someuser/www        none        bind        0        0

You might want to reboot to make sure it works.

Steen Schütt

Posted 2013-11-05T05:07:47.380

Reputation: 456

1Fact is that when you chmod g+s /home/someuser/www and chown someuser:www-data /home/someuser/www it'll also transfer the same permissions and owner:group to /var/www. This is due to the mount --bind. Thanks a--lot! – bashintosh – 2013-11-05T11:41:48.973

2Where can I pay you a beer? Looks like it's all good, and Apache doesn't seem to complain about sftp-user as the owner of /var/www. I was very close to your solution when I went the ACL way, but I left the suid part out: you're magic, thanks! – bashintosh – 2013-11-05T12:17:44.223