Allow external contractor to access the apache webfolder only. Option: SFTP Jailing

1
votes

Following Problem: We run a CentOS webserver and would like to grant access for an external contractor which only needs to access our webfolder ''/var/www' to Modify/Upload files.

What I tried was setting up SFTP jailing (according to the following documentation: http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/), but I can't make it work because of the following reason: The whole webfolder has assigned the Apache User apache:apache as usual in CentOS. But SFTP needs to have root:root ownership otherwise following error appears:

fatal: bad ownership or modes for chroot directory component "/var/www/" [postauth]

So how can I setup SFTP or an other solution in order to keep the "www" folder apache:apache owned and allow an other user to access it?

Are there other options to solve this problem then SFTP or is SFTP the right thing to do?

Thank you in advance for your help!

2
apacheftpcentossftp

2 Answers

2
votes

Well, you'd need to make sure that you've set the proper permissions and ownership for the SFTP directory. Also, make sure the jailed user home directory is owned by root:root and chmod it to 755 (so 'Other' user can execute it)..

chown root:root /home/$SFTPUSER
chmod 755 /home/$SFTPUSER

Also, you'd need to make sure that the original web directory is owned by $SFTP user and apache, along with permission 2775.

1
votes

That how I finally did it:

Create Group and Users

groupadd webmasters
useradd -g webmasters -d /var/www/ -s /sbin/nologin externalProvider
passwd externalProvider

Setup sftp-server Subsystem in sshd_config

vim /etc/ssh/sshd_config

Outcomment existing Subsystem and and add:

Subsystem       sftp    internal-sftp

Add add the end of sshd_config

Match Group webmasters
ChrootDirectory /var/www/
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp

Restart sshd service

systemctl restart sshd

Folder Permissions

File permissions are very critical! Check very carefully if the following apply for your situation.

chown -R root:webmasters /var/www/html/
sudo find /var/www/html/ -type f -exec chmod 664 {} \;
sudo find /var/www/html/ -type d -exec chmod 775 {} \;
sudo find /var/www/html/ -type d -exec chmod g+s {} \; # Set SGID in order to keep group for newly created files
sudo chown -R apache:webmasters /var/www/html/ffhs/data/ # As data directory must be writable by apache
chown root:root /var/www/