1
1
I need to allow an untrusted user SFTP access to a particular directory under his webserver root. I don't want him to access any other parts of the system (including the rest of the web), so I thought about using OpenSSH's ChrootDirective. Essentially something like the approach described here.
However, it seems there is no way to do that, while simultaneously allowing the web server (or the git deploy script) to write to that directory, because as soon as I do that, I get a fatal: bad ownership or modes for chroot directory component "/srv/www/" error.
I have thought about creating the directory elsewhere and mount --binding it, but the limitation seems to apply to the chrooted directory and not only it's parents, so I get the same problem again.
I get that it's a security thing, but that's not really relevant here since:
- the other users are trusted (well, relatively, and they can't add suid files anyway)
- the untrusted user only has SFTP access, not SSH so they shouldn't be able to run anything either way
So, anything I've overlooked? Any sane ways out of that mess? (Without moving to FTP or setting up incron/rsync between 2 directories preferably.)
himdel
Posted 2014-04-16T22:41:37.140
Reputation: 119
Maybe I wasn't clear, but the user must be able to access only a subdirectory of the web, not the whole .. eg.
/home/jdoe/srv-www/downloads.. and simultaneously other users need to be able to access that directory as well. – himdel – 2014-04-24T14:37:56.550