How to configure Chroot SFTP user with www-data rights in Ubuntu.

linux

In this tutorial we are going to implement chroot sftp user which have same rights without changing the actual folders/files permissions in ubuntu. For example chroot-sftp (username) will have all rights to create files/folders with www-data as owner and group in /var/www.

First of install bindfs on your system.

 sudo apt-get -y install bindfs

After that add user to your system

sudo useradd chroot-sftp -m -G www-data -s /usr/sbin/nologin

sudo mkdir -p /home/ chroot-sftp/www

sudo chown –Rf chroot-sftp:chroot-sftp /home/chroot-sftp/www

sudo chmod -Rf 755 /home/chroot-sftp/www

edit /etc/fstab and bind /home/ chroot-sftp/www with /var/www, so any new folder in /home/ chroot-sftp/www will appear with the www-data rights in /var/www

Permissions will be 755 for directories and 644 for files with www-data as owner and group

sudo vim /etc/fstab

And add one line (it’s for auto mount at reboot):

bindfs#/var/www /home/chroot-sftp/www fuse force-user=chroot-sftp,force-group=chroot-sftp,create-for-user=www-data,create-for-group=www-data,create-with-perms=god=rx:ud=rwx:gof=r:uf=rw,chgrp-ignore,chown-ignore,chmod-ignore 0 0

And run below command to mount the directory

mount –a

After that edit sshd config file.

vim /etc/ssh/sshd_config

comment ‘openssh’ line and add after ‘UsePAM yes’ the ‘internal-sftp’ lines and change

UsePAM yes

UseDNS no

#Subsystem sftp /usr/lib/openssh/sftp-server

Subsystem sftp internal-sftp

Match user chroot-sftp

ChrootDirectory /home/chroot-sftp

ForceCommand internal-sftp

AllowTcpForwarding no

Save sshd_config file and test the sshd configuration file is correct or not with below command.

sshd –t

It’s highly recommended to test the configuration of sshd file before restart. If there is any error displayed on screen after run sshd –t please don’t restart sshd service. First fix the issue than restart service with below command.

service sshd restart

ALL! Done

Check my GITHUB repository for other bash scripts.

AmritMatti

I’m the owner of “DevOpsTechy.online” and been in the industry for almost 5 years. What I’ve noticed particularly about the industry is that it reacts slowly to the rapidly changing world of technology. I’ve done my best to introduce new technology into the community with the hopes that more technology can be utilized to serve our customers. I’m going to educate and at times demonstrate that technology can help businesses innovate and thrive. Throwing in a little bit of fun and entertainment couldn’t hurt right?

AmritMatti

I’m the owner of “DevOpsTechy.online” and been in the industry for almost 5 years. What I’ve noticed particularly about the industry is that it reacts slowly to the rapidly changing world of technology. I’ve done my best to introduce new technology into the community with the hopes that more technology can be utilized to serve our customers. I’m going to educate and at times demonstrate that technology can help businesses innovate and thrive. Throwing in a little bit of fun and entertainment couldn’t hurt right?

View all posts by AmritMatti →

Leave a Reply

Your email address will not be published. Required fields are marked *