Chroot SFtp with EasyEngine

In this tutorial, we are creating sftp user ee-user having access to only example.com

Create Users

The following command creates a user ee-user who should only allowed to perform SFTP in chroot environment, and not able to ssh.

[email protected]:~# useradd -G www-data -ms /bin/false ee-user
[email protected]:~# passwd ee-user

Create SFtp Home Directory

Lets create the home directory for user ee-user.

[email protected]:~# mkdir -p /home/ee-user/example.com/htdocs

Setup Permissions

Letus setup permissions for the user ee-user

[email protected]:~# chown ee-user:www-data /home/ee-user/example.com 
[email protected]:~# chown root:root /home/ee-user/
[email protected]:~# chown root:root /home/

The permissions should look like this for example.com directory, after executing above command.

[email protected]:~# ls -ld /home/
drwxr-xr-x 5 root root 4096 Oct 24 06:42 /home/
[email protected]:~# ls -ld /home/ee-user/
drwxr-xr-x 3 root root 4096 Oct 24 06:42 /home/ee-user
[email protected]:~# ls -ld /home/ee-user/example.com
drwxr-xr-x 2 ee-user www-data 4096 Oct 31 08:49 /home/ee-user/example.com

Setup sftp-server

Comment and add following lines in /etc/ssh/sshd_config file

[email protected]:~# vim /etc/ssh/sshd_config
# Find below line
Subsystem sftp /usr/lib/openssh/sftp-server
# Replace above line with following line
Subsystem sftp internal-sftp

# Add following lines at EOF
Match group www-data 
X11Forwarding no 
ChrootDirectory %h 
AllowTcpForwarding no 
ForceCommand internal-sftp

Restart ssh service

[email protected]:~# service ssh restart

Setup webroot permissions

chmod g+s /var/www/example.com/htdocs/
chmod 775 /var/www/example.com/htdocs

Mount webroot in SFtp home directory

[email protected]:~# mount --bind /var/www/example.com/htdocs /home/ee-user/example.com/htdocs

add above command in /etc/rc.local

[email protected]:~# vim /etc/rc.local
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
mount --bind /var/www/example.com/htdocs /home/ee-user/example.com/htdocs
exit 0

save above file and quit :wq