How to grant a SFTP user access to web-related files
In this post, we will teach you how to grant a SFTP user access to web-related files.
It can happen in your work environment that one day you’re greeted with the following user story:
As a customer, I want FTP access to the server, so that I can upload some static files to my website, in order to do manual changes.
Without further ado, let’s get right into this.
Creating our SFTP user
We start off by creating a new user on our server. Execute the following command to create said user with their home directory. This last part is important. If you don’t see that this command created a home directory, don’t worry! We handle that with the next command.
$ sudo adduser obz
Note: remember the password, this is what you need to give to your customer for them to log in
Next, we will create a home directory. This will be the directory where the SFTP user will be located in.
$ sudo mkdir -p /home/obz/webapp
Note: the -p flag creates recursively. So if you were missing the obz directory it would be created during this step.
Our next step involves setting the directory permissions. Since we want our customer to upload files to our webapp, we need to add the webuser group. Our webuser is www-data. We will add that group to the directory with the following command.
$ sudo usermod -aG www-data obz $ sudo chown obz:www-data /home/obz/webapp $ sudo chown root:root /home/obz $ sudo chmod 755 /home/obz
Note: We make root the owner of our obz directory. This is so that our SFTP user can’t access other non-intended directories. We’ve also added the www-data group to our user so that permission keep being intact.
Now that we’ve set up our home (webapp) directory, we need to add our mounting point. To do that add the following line the to /etc/fstab file.
$ sudo nano /etc/fstab # add this line /path/to/your/webapp /home/obz/webapp none bind
Note: The main reason for adding this line to the fstab file is to make our SFTP directory persistent after server reboots.
We’re almost there now, only one file remains. Add the following snippet to the bottom of the /etc/ssh/sshd_config file
$ sudo nano /etc/ssh/sshd_config # add the following snippet Match User obz ForceCommand internal-sftp PasswordAuthentication yes ChrootDirectory /home/obz PermitTunnel no AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no
Finally, execute the following two commands
$ sudo service sshd restart $ sudo mount -a
You now have a working SFTP connection to your server. You can test this by using an app like FileZilla. Do note, that while SFTP uses the SSH protocol to connect, we don’t actually allow direct SSH connections. You can test this with the following command.
$ ssh obz@<your_server_ip>
You should see an error message after filling in your password about no SSH connections being allowed.
Optional: Adding certain permission to the SFTP user
This step is use case-specific and might not be required in most cases. However, if you do want to limit access to certain actions for your customers continue reading this section
If we re-open our sshd_config file we see the following line ForceCommand internal-sftp. In this line, we can either whitelist or blacklist certain permissions with the following flags
-Pthis flag blacklists the permissions. Eg. internal-sftp-Pwrite,read (this will disallow both reading and writing of files-pthis flag whitelists the permissions. Eg. internal-sftp-pwrite,read (this will allow both reading and writing of files)
In practice, to disallow the customer to write, update and remove, this line would be
ForceCommand internal-sftp -P write,mkdir,rmdir,rename
For a complete list of permissions, see below
open close read write lstat fstat setstat fsetstat opendir readdir remove mkdir rmdir realpath stat rename readlink symlink posix-rename statvfs fstatvfs hardlink fsync lsetstat
Right now you should understand how to allow users to access directories through the SFTP protocol. We hope you learned a lot by reading this guide!
