Chroot sftp user

timanderson · 13 January 2023 11:12

We have a user who can’t use FTPS because of corporate firewall but SSH is OK. I’ve done as follows:

Pretty much followed the guide here: https://linuxize.com/post/how-to-set-up-sftp-chroot-jail/

In sshd_config there was already a Subsystem directive:

Subsystem sftp /usr/lib/openssh/sftp-server

I changed this to:

Subsystem sftp internal-sftp

I used a bind mount to give the user access to their web site in the home directory.

There is an issue with permissions in the web site. I tried changing the group of the relevant part of the web site to sftponly (the suggested group name for chrooted SFTP users) but a sympl script changed this back to www-data.

The solution I’ve found for the moment is to add the upload user to the www-data group which isn’t ideal.

Will the above steps break anything in sympl?

Tim

Kelduum · 13 January 2023 12:15

Adding the user to the www-data group isn’t ideal, but there’s some level of support for the htdocs directory to be owned by other users/groups.

Check the documentation for the Filesystem permissions which should be able to help.

timanderson · 13 January 2023 13:04

Many thanks I’ll try that.

Tim