1

Following Problem: We run a CentOS webserver and would like to grant access for an external contractor which only needs to access our webfolder ''/var/www' to Modify/Upload files.

What I tried was setting up SFTP jailing (according to the following documentation: http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/), but I can't make it work because of the following reason: The whole webfolder has assigned the Apache User apache:apache as usual in CentOS. But SFTP needs to have root:root ownership otherwise following error appears:

fatal: bad ownership or modes for chroot directory component "/var/www/" [postauth] So how can I setup SFTP or an other solution in order to keep the "www" folder apache:apache owned and allow an other user to access it?

Are there other options to solve this problem then SFTP or is SFTP the right thing to do?

Thank you in advance for your help!

Improve this question
3
  • Are you sure you fully appreciate and understand Linux file permissions? Eg. codesport.io/security/… Commented Jan 12, 2016 at 14:23
  • No, it is not. The condition is made for a reason (CVE-2009-2904). Some tools might allow you to do this, but they are making the whole thing less secure. Commented Jan 12, 2016 at 15:12
  • Found someone with the same problem and got it solved, thanks a lot! askubuntu.com/questions/196062/… it would be great if you could shortly check if my solution is still secure? (see answer below) thanks in advance Commented Jan 13, 2016 at 15:21

1 Answer 1

Reset to default
0

I finally used SFTP to solve the mentioned problem. The main issues where the file permissions. I did the following steps (running CentOS 7.2):

Folder Permissions Following file permissions where set. Including the sticky bit (explained after the code).

sudo find /var/www/html/ -type f -exec chmod 664 {} \; sudo find /var/www/html/ -type d -exec chmod 775 {} \; sudo find /var/www/html/ -type d -exec chmod g+s {} \; # Set SGID in order to keep group for newly created files sudo chown -R apache:webmasters /var/www/html/website/data/ # As data directory must be writable by apache chown root:root /var/www/

Create Group and Users

Create user for external provider and set new password.

groupadd webmasters useradd -g webmasters -d /var/www/ -s /sbin/nologin externalProvider passwd externalProvider

Setup sftp-server Subsystem in sshd_config

vim /etc/ssh/sshd_config

Outcomment existing Subsystem and and add:

Subsystem sftp internal-sftp

Add add the end of sshd_config

Match Group sftpusers Match Group webmasters ChrootDirectory /var/www/ AllowTCPForwarding no X11Forwarding no ForceCommand internal-sftp

Restart sshd service

systemctl restart sshd

Login via SFTP to test the connection

sftp externalProvider@hostname

Security

SELinux is enforcing and was never en issue concerning this SFTP setup.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.