Hi,

I am using Ubuntu 12.04 and have used linode documentation to set up server.

All my websites reside in /home -> myusername -> public -> website1 or website2 or website3

How can I create an SFTP user and give him access (read/write/excecute) to ONLY website3 folder.

Kindly help me with this, will truly appreciate any help.

This should help http://library.linode.com/security/sftp-jails

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

@obs

Thanks for the post but I have checked it,



As I mentioned, all the websites resides in my username. So its like giving another user access to one particularly directory which is located under my home - > username.

Please guide me appropriately, I am new to this and need urgent help.

1. usermod -d /home/myusername/public/website1 username_of_website_1
This sets the homedirectory to /home/myusername/public/website1

chown -R username_of_website_1:username_of_website1 /home/myusername/public/website1/
So that user can write, make sure you own (myusername) /home/myusername/public/

I have this in the sshd_config:
Match group filetransfer
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Then, add username_of_website_1 to a secondary group (usermod -a -G filetransfer username_of_website_1)

Make sure to restart ssh and it should work like that. Haven't tested it out but I believe this is all there is to it

Nuh uh - no can do. The directory you chroot a user to must be owned by root and not writeable by anyone other than root.

However, look at chesty's post there, about bind mounts.
What MIGHT work:
- Give the user a separate/private homedirectory
- Make it root-owned and root-writable, so it can be the chroot.
- Create a subdirectory inside
- Bindmount your website from your homedir to that dir.

Also, you should consider moving your websites from your homedir to /srv ASAP.

_________________
rsk, providing useless advice on the Internet since 2005.

What rsk said is correct you can use mounts.

I store sites in /srv/sites/sitename and chroots in /src/chroots/username them bind mount sitename to username

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

Thanks - I thought it would just have to be owned by someone else, and perhaps with certain permissions set on to it. Good to know it has to be root.

Thanks rsk,

I very much followed linode documentation and ended up with this. Basically linode asked for creation of seperate super user and login ssh via that rather than using default root username. So now all my websites are at

/home/superuser/public

The owner and group named is also exactly "superuser"

What is the conventional place for putting all the websites and how do I move all my websites to that place without much fuss ?

Would really appreciate some help.

If you are hosting unrelated websites for multiple people - i.e. you are the server owner, and offer webhosting for customers or friends - putting each user's website under their home directory makes some sense, as you can then e.g. easily use the SFTP chroot jails.

However, that makes sharing access to website code between different usernames very problematic.

If your webserver has a single, primary goal, or if you need to give multiple users access to a website, it's much better to user /srv (if such directory does not exist, feel free to create it).

If you use /srv, your websites are not tied to users; however, when you're using sftp chroot, you will need to bind-mount the website directory to each user's home directory so they can reach to it from inside of the chroot.

Also, f you're granting multiple users access to website code, you may end up with some trouble when different users create files, and put different permissions on them - this can be mostly mitigated by setting up appropriate ACLs on the website directories.



For a concrete, if a bit complicated example, one of my webservers is a mix that hosts a bunch of "main" sites and some separate ones for friends.

Main ones are in /srv, and are being edited by our core team (multiple users); we have ACLs in place to minimize the permission issues, shell access, and non-chrooted sftp.

Friends have theirs inside their homedirs, and are chrooted so can't access anything outside of their homedir.



As of moving the existing website, well, depends on what the website is.
Some CMS systems are known to hardcode disk path in various places in the database, for example.

But in general - create /srv/websitename , move files from current location to there, adjust the webserver's configuration to use that directory, and see if it works.
If it doesn't, time to investigate.
Are the permissions on the files set so webserver can read all it needs to read, and write where it needs to write? (Be very careful about the second part, write access should be as limited as possible).
Can you see some errors referring to the old path? Then there are some references to old path in some config files of the webserver or website (or in the DB). This has to be edited.
If you're using some popular package, like Wordpress, or Drupal, or such, asking for help in their forums would give you more concrete information.

_________________
rsk, providing useless advice on the Internet since 2005.