0 votes
51 views
by Talented
Has anyone sorted out a way to allow additional user accounts that have SFTP access only to specific sites/folders within a server?

I can add the additional accounts. I can add passwords and set up SFTP access. What I can't figure out is how to assign permissions to the site directory in a way that (1) allows a user to have a specific folder set up as their SFTP root while (2) also allowing WordPress access to write to the uploads folder.

In short, I got as far as locking everything down properly from the SFTP side, but that seemed to prevent WordPress from accepting file uploads since the folders were owned by a different user.

To anyone who's sorted this out - if you don't have time to share details about how to set this up properly, I'd at least settle for knowing that it's technically possible. I'm unsure if the fact that the various server processes run as www-data user totally precludes us from managing files via SFTP in this manner or if I've just yet to stumble across the proper file ownership configuration to make it all work.

BTW QROkes I've seen several places where this topic has been brought up and I understand you don't support it any official capacity, so please understand I'm not asking for that at all. I'm not interested in this from the strict security standpoint others have mentioned (i.e. a hack taking down all the sites on the server), I'm more interested in this from a practical/usability standpoint (I want to be able to give certain team members access to a site without fear that they'll accidentally goof up something across other sites)

Thanks all!

2 Answers

+1 vote
by Rookie

Hi,

if you want your uploads folder to be accessible both by user and www-data, you should 

  1. chown it (recursive) to www-data:usergroup (the user should be a member of that group - typically a group with the same name as the user is automatically created when you create a user on debian based systems)
  2. chmod your uploads folder recursively like this: chmod -R g+Xw uploads (allow group to list directories and write - the X is execute directories only)
As recommendation I would suggest to disable php in the uploads folder in your nginx/apache if not already done.
Hope this helps, 
regards, Greg
by Talented
Wow, thanks for the fast response! Will wrap my head around this and give it a shot :D
by Rookie

There is one caveat though. Every time you will create a new site, all ownerships wil get reset to the www-data.
To prevent this, you should find and change the following line in /opt/webinoly/lib/sites from
sudo chown -R www-data:www-data /var/www

to

sudo chown -R www-data:www-data /var/www/$domain

I kindly asked QRokes to do it, as it would not harm webinoly in any way and it would give the server owners the possibility to change their ownership as they see fit, but he quite arrogantly turned me down.

by Expert

Arrogantly?

Do you really think I should do whatever you tell me?

Please, think before write and be more respectful. Imagine if I do whatever all the people tell me all the time, change this, change that, add this and that… It's not just a matter of time (I do this in my free-time), it's that I have to decide what is better for the project and for the majority of the users, period.

ago by Talented

It could've just been whatever permutation of permissions, home directories, etc I had at the time, but wasn't able to get this running with the www-data:usergroup setup. Instead I did it the opposite way - chown the site directory to username:www-data, then chmod wp-content/uploads to allow the webserver to write to the folder.

Is there a downside or caveat to doing it that way instead?

The only other thing I was slightly disappointed with is that I can't figure out a way to allow a user to SFTP into /var/www but then only see the folders they have permissions on

If I set ownership of /var/www/site.com to username:www-data and then also try to set that as the user's chrootdirectory (so they land in that folder when connecting), I'm not able to SFTP in.

But if I set it up so their chroot is /var/www then the user is able to see (though not modify) all files/directories of other sites - which I'd also like to avoid.

To get around this, I have to set ownership on /var/www/site.com to root:root, then set ownership of /var/www/site.com/htdocs and /var/www/site.com/htdocs/wp-config.php to the username:www-data.

Am I missing an opportunity to streamline this so that the user can just have ownership on /var/www/site.com and only see the files in that folder when SFTPing in?

Thx!

ago by Rookie

The only other thing I was slightly disappointed with is that I can't figure out a way to allow a user to SFTP into /var/www but then only see the folders they have permissions on

This is not possible, because you don't contol what the user see  but what he can or can't do on a directory. If you allow him to read /var/www, he will read everything in it.

What I would do is create a folder named "sites" in users home directory and then softlink all the users sites uploads folders individually to that directory. You would get this

$ ls -al /home/username/sites
lrwxrwxr-x [...] username www-data [...] site1.com -> /var/www/site1.com/htdocs/wp-content/uploads/
lrwxrwxr-x [...] username www-data [...] site2.com -> /var/www/site2.com/htdocs/wp-content/uploads/
lrwxrwxr-x [...] username www-data [...] site3.com -> /var/www/site3.com/htdocs/wp-content/uploads/

that should work and you should keep all the other files owned by you (or root). 

However, keep in mind that this is only applicable to the uploads folder or any folder not executed by php. 

Chowning the whole /var/www by www-data is a security concern. Any php script in a php executed directory accessible  from the web can write to any of the files owned by www-data. This kind of scripts can be accidentaly (from within various "pro" plugins/themes) or deliberately (by a malicious user you granted sftp access) uploaded to a public path executable by php and used to control or at least infest all the sites on your server.

Webinoly is not intended to be used as webhosting platform. If you need that, try to use virtualmin instead. It comes with apache out of the box but it has an nginx module available, that you can replace apache with. The GPL version is free and it works good.

0 votes
by Rookie
Welcome to the Community site for Webinoly.

If you have a question about Webinoly, please ask in English or Spanish.

To report a bug, please ask a question here with the bug tag.

News: Now you can use any external SMTP service in your server. All the server outgoing emails from any of your websites will be sent through this service.

Donations

Webinoly Support Paypal Donations Webinoly Support Bitcoin Donations

Your regular donations is what keep this project moving forward. If you like Webinoly, buy me a coffee or a beer to show support.

Affiliate Links

It is very important that any visitor to the site read the disclaimer, terms of use and privacy and legal statement before start browsing.

...