I have a bunch of sites in /var/www and need individual user logins with access to their respective sites. In this tutorial I’ll go over how to create a user, chroot jail them and allow access to specific folders (in our case web directories).
For reference I’m using a standard LAMP server on Ubuntu:
1 2 | sudo apt-get install -y tasksel sudo tasksel install lamp-server |
but this tutorial will work for any web server configuration.
1. Create User, Assign Web Group
1 2 3 4 5 6 7 | # Create the user setting group to www-data sudo useradd -Ng www-data myuser sudo passwd myuser # Restrict login to SFTP only sudo groupadd sftp-only sudo usermod myuser -G sftp-only |
Create their web directory and provide access
With the new user created, make a directory matching their website’s name and mount the real website folder to it:
1 2 3 4 5 6 7 8 9 | # Create chroot directory and set permissions mkdir -p /home/myuser/mysite.com/html chmod 755 /home/myuser/mysite.com/html # Mount the destination directory at the directory we just created mount --bind /var/www/mysite.com/html /home/myuser/mysite.com/html # Add the above command to /etc/rc.local to mount it on boot nano /etc/rc.local |
Restrict the user to SFTP Only
We only want to allow SFTP access for this user. First open /etc/passwd and make sure the end of the line has /bin/false like so:
1 2 | tail -n1 /etc/passwd # myuser:x:1001:33::/home/myuser:/bin/false |
Now edit /etc/sshd/sshd_config to allow only SFTP myuser:
1 2 3 4 5 | Match User myuser ChrootDirectory /home/myuser ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding no |
Restart the SSHD service:
1 | sudo service sshd restart |
Now when you try to SSH in with this user you’ll get the error:
This service allows sftp connections only.
That’s it! They should now be able to SFTP in and will only have a mysite.com directory with access to their web files.
Further Reading
mihai.ile’s post on Stack Overflow – How can I chroot sftp-only SSH users into their homes?