Thursday, December 3, 2015

permissions - nginx server, multiple users editing their own files via SFTP



I'd like to have a Debian server set up so that different users have their own domains that only they can edit, e.g.:



/home/
+ /bob/www/
+ oldsocks.com/

+ nosepickers.org/
+ /joe/www/
+ no-fun.com/
+ whatever.net/


Bob should be able to SFTP in and edit his stuff, and likewise for Joe. The problem, of course, is that nginx and php-fpm run as www-data. With Apache, I was able to install the apache-mpm-itk package and use the AssignUserID directive to make each virtual host have its own uid/gid. I don't think any such thing exists for nginx.



I'm not experienced enough to know of a good way to set up the above structure that works with nginx. I suppose I'll have to settle for all files being owned by www-data and find some way to lock each SFTP user to their own www folder (ssh jail?). I'm open to suggestions.




Side note: Ideally, each user would be locked into their www folder when SFTP'ing in, but not SSH'ing in. Don't know if that's possible.


Answer



One of the solutions is to use ProFTPd with mod_sftp like this:



SFTPEngine on
SFTPLog /var/log/sftp.log
Port 2222
SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPHostKey /etc/ssh/ssh_host_dsa_key
SFTPCompression delayed

MaxLoginAttempts 6
DefaultRoot ~
Umask 002
CreateHome on 770 dirmode 770


And change joe's and bob's user group to www-data.
So your web server will be able to access files because they are www-data group readable and writable. DefaultRoot will jail users inside their home directories, all newly created files and folders will have www-data group.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...