I have a bunch of sites in /var/www and need individual user logins with access to their respective sites. In this tutorial I’ll go over how to create a user, chroot jail them and allow access to specific folders (in our case web directories).
For reference I’m using a standard LAMP server on Ubuntu:
sudo apt-get install -y tasksel
sudo tasksel install lamp-server
but this tutorial will work for any web server configuration.
1. Create User, Assign Web Group
# Create the user setting group to www-data
sudo useradd -Ng www-data myuser
sudo passwd myuser
# Restrict login to SFTP only
sudo groupadd sftp-only
sudo usermod myuser -G sftp-only
Create their web directory and provide access
With the new user created, make a directory matching their website’s name and mount the real website folder to it:
# Create chroot directory and set permissions
mkdir -p /home/myuser/mysite.com/html
chmod 755 /home/myuser/mysite.com/html
# Mount the destination directory at the directory we just created
mount --bind /var/www/mysite.com/html /home/myuser/mysite.com/html
# Add the above command to /etc/rc.local to mount it on boot
Restrict the user to SFTP Only
We only want to allow SFTP access for this user. First open /etc/passwd and make sure the end of the line has /bin/false like so:
tail -n1 /etc/passwd
Now edit /etc/sshd/sshd_config to allow only SFTP myuser:
Match User myuser
Restart the SSHD service:
sudo service sshd restart
Now when you try to SSH in with this user you’ll get the error:
This service allows sftp connections only.
That’s it! They should now be able to SFTP in and will only have a mysite.com directory with access to their web files.
mihai.ile’s post on Stack Overflow – How can I chroot sftp-only SSH users into their homes?
Read More »