This is my first time around with Linux on my own (Debian 5) and I'm trying to provide SFTP access to other people so they can only upload and download files in a specific website directory (/srv/www/example.com).

I followed this great tutorial: http://library.linode.com/security/sftp-jails/

I changed the user's home directory to /srv/www/example.com but didn't change folder permissions for any subfolders.

I am able to login with a new account via SFTP and view all the subfolders. I can download files. The problem is I cannot upload any files. I get permission denied when opening for write.

I know this is something incredibly basic but I don't have a good grasp on users, groups, and permissions yet. I didn't want to change ownership of any of the files from www-data because I didn't want to break something.

Any help appreciated.

Run ls -l in the directory where your files are stored and you'll see something like

-rw-r--r-- 1 user group 1196189 Dec 13 07:38 filename

the first rw means the user has read/write access, the other r's mean the group and everyone else has read access, what you will want to do is either set the group bit to read write or other bit to read write (depending on how restrictive you want to be).

use chmod g+w filename to set the group write bit or chmod o+w to set the other bit writable.

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

Hi Volantis,

I just wnt through the same discovery process. You have to make root the owner of the jailed chroot, and then the user the owner of the recursive directories. So I did the following

chown root:root /srv/www/domain1.tld
chown root:root /srv/www/domain2.tld

and so on for each domain. Then, I did

chown user1:user1 /srv/www/domain1.tld/*
chown user2:user2 /srv/www/domain2.tld/*

After all this is done, they will be able to write to any subfolder within their jailed chroot (/srv/www/domain.tld/public_html for example), but they will not be able to write directly to the root folder. So you would need to create any new subfolders directly off the root directory for the user.

Now if you're going to have a single user managing multiple domain folders, take a look at rsk's last post from my thread, which is pretty clever, you would just need to ensure the wwwroot for those domains are updated properly in the vhost file(s): http://www.linode.com/forums/viewtopic.php?t=6359

Uf, I don't get this, this is what I need but I can't get it to work.

First of all http://library.linode.com/security/sftp-jails/ it says:

Restart OpenSSH as follows:
/etc/init.d/ssh restart

but it's not working, I can't naviged to inid.d folder
cd init.d is not working, I can't get into that folder.

Then in this tutorial it doesn't says, but I guess I have to add user, just don't know can I do it when I log in linode admin interface, or do I have to do it from command line?

Ah, this is so complicated for me, and I really need to get this thing to work, please help

Ok, so I'm able to create user, and user can login with FileZilla using SFTP. User logs directly where it's suppose to, to the right domain that I want, BUT he can then navigate up, he can see all other sites on the server and all other files.
How can I prevent him from seeing other files on the server?

I managed a similar solution via scponly. It has a script for creating the chroot environment, and it's working nice for me.

Melon, I'm not sure what you're trying to say... what should I do to make this work?

Sorry for giving an incomplete suggestion. I thought you're looking for a solution to allow your users to log in via SFTP and restrict them into their home directory via chroot/jail.

I managed to do this via the scponly package. The package provides two shells: scponly and scponlyc - the latter being a chrooted sftp-only shell. The deb package has a setup_chroot.sh script which by default is in /usr/share/doc/scponly/setup_chroot in Ubuntu. The shell script will create the user, sets up the home directory and installs a minimal chroot environment for that particular user. I found this method absolutely fine for me, however your mileage may vary.
If this is not what you want to achieve, I may have misread something, and burn my post after reading

Melon, thanks, thats exactly what I need to do:

to allow user to log in via SFTP and restrict them into their home directory... (I don't know what chroot/jail is, I need easiest way to make this work )

just don't know how

I installed scponly package. How do I start that script?

And btw setup_chroot.sh is setup_chroot.sh.gz

A chroot or jail environment means that a user or process is restricted to its own directory and cannot see the entire filesystem.

If the setup_chroot.sh script is gzipped, you need to uncompress it first.
Go to the directory where your setup_chroot.sh.gz file is, then run:

sudo gunzip setup_chroot.sh.gz

If the script is not executable, change permissions (e.g.: sudo chmod 755 setup_chroot.sh)
After that you can run the script via root (sudo ./setup_chroot.sh) which will ask for a username, home directory, name of the writable dir (default is 'incoming') and you can set the password for the new user.

If everything goes fine, your system will have a user that can only login to an scp/sftp enabled shell and cannot change directory outside its home.

You are advised to plan the filesystem layout for your websites, for example:
domain1.com and domain2.com for user 'john':
virtual host roots:
/srv/www/john/domain1.com/public
/srv/www/john/domain2.com/public
john's home is:
/srv/www/john
Then either set the public folders' permissions to something that john is able to write, or change the folder's ownership to john's.

I hope this is clear and simple enough.

One additional note: I usually create a user group named 'sftponly' and put these chrooted users to this group and set this group in sshd_config:

Match group sftponly
    PasswordAuthentication yes
    PubkeyAuthentication no

If I want my users to use only key-based logins I switch the the yes/no values in the config above.[/code]

Thanks Melon, I'm fighting this on two sides, two different roads, opened another thread here, but still no luck.

This is what I get:

/bin/grep: config.h: No such file or directory

your scponly build is not configured for chrooted operation.
please reconfigure as follows, then rebuild and reinstall:

./configure --enable-chrooted-binary (... other options)

It seems that your config.h is missing from where the script searches for.
I just checked my files and there is a config.h file in the same directory as the setup_chroot.sh script. I suppose this config.h file needs to be in the same directory as the script.
However this is Ubuntu 8.04 other distros or versions might have placed this elsewhere.

No, it's in the same /usr/share/doc/scponly/setup_chroot directory, config.h and setup_chroot.sh are only two files there, something else is wrong, I guess config.h needs to be changed...

Your error message said that the script could not open config.h with the grep command so I suppose you did not run the script from its directory. Please check.

This is what I run:

sudo /usr/share/doc/scponly/setup_chroot/setup_chroot.sh from root.

Is this the correct command or I'm missing something?

I did: sudo chmod 755 setup_chroot.sh before and that went well..