FTP access is being used less and more SFTP access for simple security reasons. But users of the default system have access to see everything.
This is why it can be interesting to have users who are limited only to certain folders. For example, if you have multiple websites of multiple users and you don’t want one user to be able to see each other’s data.
This tutorial has been created on a Clouding.io VPS. You can create your own VPS from 3€/month.
In addition, you have the possibility to create your VPS with the WordPress image in one click.
PARTNERSHIP
Limit SSH access
The first thing we will do is limit users’ access to the corresponding folders. We’re going to put them all together in the group sftp
.
addgroup sftp
Once the group is created, we will make changes to the SSH server.
We will edit the configuration file:
vim /etc/ssh/sshd_config
We will look for the following code:
Subsystem sftp /usr/lib/openssh/sftp-server
And we will replace it with:
Subsystem sftp internal-sftp
Later we will add a series of rules for the users of this group:
Match Group sftp
ChrootDirectory %h
ForceCommand internal-sftp
AllowTCPForwarding no
PasswordAuthentication yes
Once we finish, we will restart the service and validate that it works.
systemctl restart sshd
systemctl status sshd
Copying the system
Since we’re only going to let users access a limited number of folders, we also need some programs to work. That is why we must create a structure copied from the system.
In this example we are going to create a folder to host everything in /webs/
.
mkdir -p /webs/
We will validate that there are a number of real folders (not the symbolic ones).
ls -l /dev/{null,zero,stdin,stdout,stderr,random,tty}
that will return something similar to this:
crw-rw-rw- 1 root root 1, 3 jun 25 14:47 /dev/null
crw-rw-rw- 1 root root 1, 8 jun 25 14:47 /dev/random
lrwxrwxrwx 1 root root 15 jun 25 14:47 /dev/stderr -> /proc/self/fd/2
lrwxrwxrwx 1 root root 15 jun 25 14:47 /dev/stdin -> /proc/self/fd/0
lrwxrwxrwx 1 root root 15 jun 25 14:47 /dev/stdout -> /proc/self/fd/1
crw-rw-rw- 1 root tty 5, 0 jun 25 14:47 /dev/tty
crw-rw-rw- 1 root root 1, 5 jun 25 14:47 /dev/zero
We will copy some of the folders to our new root place.
mkdir -p /webs/dev/
mknod -m 666 /webs/dev/null c 1 3
mknod -m 666 /webs/dev/random c 1 8
mknod -m 666 /webs/dev/tty c 5 0
mknod -m 666 /webs/dev/zero c 1 5
We will limit access to this folder to root only and validate it. It is important that the full permissions are only to the owner and not to the group, so we will use 0755.
chown root: /webs
chmod 0755 /webs
ls -ld /webs
We will copy the Bash.
mkdir -p /webs/bin
cp -v /bin/bash /webs/bin
We will have to copy some libraries. First we will create the folder structure.
mkdir -p /webs/lib/
mkdir -p /webs/lib64/
mkdir -p /webs/lib/x86_64-linux-gnu/
And we will validate that there are a number of files.
ll /lib/x86_64-linux-gnu/{libtinfo.so.*,libdl.so.*,libc.so.*,ld-linux-x86-64.so.*}
ldd /bin/bash
We will copy the corresponding files.
cp -v /lib/x86_64-linux-gnu/{libtinfo.so.*,libdl.so.*,libc.so.*} /webs/lib/
cp -v /lib64/ld-linux-x86-64.so.* /webs/lib64/
cp -va /lib/x86_64-linux-gnu/libnss_files* /webs/lib/x86_64-linux-gnu/
Finally, we will make a copy of the user permissions.
mkdir -p /webs/etc/
cp -vf /etc/{passwd,group} /webs/etc/
With this we will have everything necessary so that users can connect by SFTP and interact with the upload and download of files.
Creating a user
The users will be created so that they only have access to this folder /webs/
that we have created and that they belong to the group sftp
.
useradd usuarioejemplo -m -d /webs/usuarioejemplo -G sftp
We can validate that you are in your group and in the sftp
.
groups usuarioejemplo
That will give us back something like:
usuarioejemplo : usuarioejemplo sftp
The next thing will be to remove the access permissions by SSH, since if they access by SSH they would have the possibility to execute or access anywhere,
usermod -s /bin/false usuarioejemplo
And finally we will give a password to the user.
passwd usuarioejemplo
Now we will make sure that the proprietary folder of that user is rooted and that he cannot access.
chown root: /webs/usuarioejemplo
chmod 0755 /webs/usuarioejemplo
And, since we have changed the permissions, groups and so on, we will make a new copy of the accesses.
cp -vf /etc/{passwd,group} /webs/etc/
Accessing by SFTP
At this time, users will be able to access the server by SFTP, in the same way as they would by FTP. By default the FTP port is 21, and the SFTP port is 22.
Creating a website
From this moment we could create folders for different websites. If you are responsible for the system, you can create a site for the user.
First we would create the folder
mkdir /webs/usuarioejemplo/www.dominio.es/
And finally we make sure you have your permissions.
chown usuarioejemplo: /webs/usuarioejemplo/www.dominio.es/
At this time the user could already manage all its contents by SFTP.
About this document
This document is regulated by the EUPL v1.2 license, published in WP SysAdmin and created by Javier Casares. Please, if you use this content in your website, your presentation or any material you distribute, remember to mention this site or its author, and having to put the material you create under EUPL license.