Is there anything in the documentation or elsewhere that demonstrates how to do the following?

1. Add a new user
2. Grant them SSH and SFTP access to *only* their home directory and their websites.


I host a number of client websites (e.g. /srv/www/myclient.com/public_html) on my Linode server. I now want to be able add users to my server who will have the ability to SSH ans SFTP into their websites. Being an infrequent Linux admin, I'd simply like to know how best to make this happen ... and if there are any best practices I should follow in order to make sure things are as secure as possible with this scenario.


Thanks much - wg

By default they will have write access only to their home directories, but read access to most of everything else. If you want to prevent read access to the rest of the system, you need to look into using chroot.

This guide covers setting up SFTP jails. Note that you would need to set the appropriate home directory for the user with something like usermod -d /srv/www/myclient.com username first. The user's home directory, as well as the directories above it, must be owned by root and not writable by any other user or group.

Allowing SSH access would be considerably more involved. It requires that copies of all binaries and device nodes that the user may need be present under the user's home directory.

For the SSH case, I've used jailkit before, with good success.

There's also debootstrap.

_________________

/* TODO: need to add signature to posts */

Thanks for the link ... worked perfectly.


As I'm running on a LMEP stack, with all of my sites running under www-data:www-data, will I have any problems with these SFTP users uploading files that need to be served by Nginx given that the owner will be myser:myuser?

They will be uploading, for the time being, php, html, css, javascript files.


Thanks again.

By default the files created will have read permissions for owner, group and others, so no - nginx should be serve files just fine. There may however be a problem with PHP when writing files, this happens quite a lot onhosting environments, Reading PHP will be fine, but if you need to upload stuff or things like that you'll have to set the folder where it is stored to a more open chmod. Unless of course PHP also runs on www-data.