desperado desperado - 1 month ago 13
Apache Configuration Question

Allow external contractor to access the apache webfolder only. Option: SFTP Jailing

Following Problem: We run a CentOS webserver and would like to grant access for an external contractor which only needs to access our webfolder ''/var/www' to Modify/Upload files.

What I tried was setting up SFTP jailing (according to the following documentation: http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/), but I can't make it work because of the following reason: The whole webfolder has assigned the Apache User apache:apache as usual in CentOS. But SFTP needs to have root:root ownership otherwise following error appears:


fatal: bad ownership or modes for chroot directory component "/var/www/" [postauth]


So how can I setup SFTP or an other solution in order to keep the "www" folder apache:apache owned and allow an other user to access it?

Are there other options to solve this problem then SFTP or is SFTP the right thing to do?

Thank you in advance for your help!

Answer

That how I finally did it:

Create Group and Users

groupadd webmasters
useradd -g webmasters -d /var/www/ -s /sbin/nologin externalProvider
passwd externalProvider

Setup sftp-server Subsystem in sshd_config

vim /etc/ssh/sshd_config

Outcomment existing Subsystem and and add: Subsystem sftp internal-sftp

Add add the end of sshd_config Match Group webmasters ChrootDirectory /var/www/ AllowTCPForwarding no X11Forwarding no ForceCommand internal-sftp

Restart sshd service

systemctl restart sshd

Folder Permissions

File permissions are very critical! Check very carefully if the following apply for your situation.

chown -R root:webmasters /var/www/html/
sudo find /var/www/html/ -type f -exec chmod 664 {} \;
sudo find /var/www/html/ -type d -exec chmod 775 {} \;
sudo find /var/www/html/ -type d -exec chmod g+s {} \; # Set SGID in order to keep group for newly created files
sudo chown -R apache:webmasters /var/www/html/ffhs/data/ # As data directory must be writable by apache
chown root:root /var/www/
Comments