Well, I'm trying to provide SFTP access for another user, I'm following this guide http://library.linode.com/security/sftp-jails/
but something's just not working.

First of all I was geting this error:
"Directive 'UsePAM' is not allowed within a Match block" after trying to execute "/etc/init.d/ssh restart.

I found the solution with putting the Match block at the very end of the config file.

Second, this guide doesn't tell that I need to create a user and how, so I found that here http://library.linode.com/LikRHS

My problem now is this:
when I try to execute the last line of code:

chown username:username *

I get this error:

chown: invalid group: `username:username'

I need to make that a user that I created can go only to /srv/www/exaple.com

Please help, I'm stuck with this for 2 days now...

Ok, so I've found the solution, on that last line:

chown username:group *

should be, and not username:username *.

This way, I can log in to the site with SFTP, in the right place /srv/www/example.com, BUT user can see all files on the server.

How can I fix that last thing, so that user can see only his files in /srv/www/example.com ?

Look at this: http://library.linode.com/security/sftp-jails/

Thanks, but

Thats what I'm refering to, but I can't get it to work. Anybody else, anything?

Yes, sorry.

I've just tried that setup and it worked for me. I think your jail is not working at all.

Is /var/www/example.com HOME directory for that username? You can check it executing "env" from console with the username rights, and you will see one line "HOME=/your/home/path".

That HOME should be /var/www/example.com. If it isn't, you can edit your user with "usermod -d /var/www/example.com username".

Did you add your user to the 'filetranster' group (that you made for the match statement)?

Can you tell me exactly what should I type for env command, what is the correct syntax?

If I type env username
I get no such file or directory



When I try usermod -d /var/www/example.com username
I get usermod: no changes, I guess that means that's fine.

As I said, I'm able to login, but the user can see everything else on the server, he can browse to the top, he can't write anywhere else but in his directory example.com, but I need also that he can not see anything else but his own site.

Let's say your username is "john"

You have to be logged-in in a console as "john" and type "env" command. "env" shows users environment variables. Alternatively, you can type "echo $HOME". It should return "HOME=/var/www/example.com"
If it isn't, you must change it with "usermod -d /var/www/example.com john"(run as root).

I think you have set up in your SCP/FTP client the remote path to /var/www/example.com... that's why you can login.

well - it works now

have to say this manual http://library.linode.com/security/sftp-jails/ is not really for beginers, it assumes that you already know something.

And also, there is one big mistake, well I don't know if it's a mistake, but it did not worked for me:

the last line of code in manual:

chown username:username *

is not working for me, I had to change it like this:

chown username:usergroup

and after that all works fine, user can log into his site-directory, and can not see other stuff on server.

@drpks
thanks

I assume you're not using a Debian-based distribution? They use a group scheme where each user gets a group of the same name as the username so technically it works as written.

Though using something like user:group would be more generic, and still applicable to Debian/Ubuntu (perhaps with a comment that the default group is typically the same as the user).

-- David

Yes, I'm using Ubuntu, I guess thats what the problem was, it should be there in the manual, how am I supposed to know that?
I was thinking why is this command not working, and I tried username:usergroup and it worked, but I lost about a week on all this...
I will submit a comment there in the manual with link to this thread, I'm sure someone will need this sooner or later