Essence: Create a user, with access via SFTP, with the inability to log out above its root folder.

Debian 6

Worth LAMP

Create user:

useradd -d /home/test1/ -b /home/test1/data -g www-data -s /bin/bash test1passwd test1

In sshd_conf:

 Subsystem sftp internal-sftpMatch Group www-data AllowTCPForwarding no X11Forwarding no ChrootDirectory %h/data ForceCommand internal-sftp

In the folder via SFTP enters. Above it does not go. But at the same time I can not create or change anything there, writes permission denied .

Then I do this:

 chown -R test1:www-data /home/test1/data

Now it does not go in. When trying to connect it writes:

Error: Server unexpectedly closed network connection

Error: Unable to connect to server

How to make that the user could enter and change everything in the folder? But not be able to exit it.

    1 answer 1

    need to

     chmod 0755 /home/test1/data/ /home/test1/chown root:root /home/test1/data/ /home/test1/

    write access should be at a directory below chroot, such as / home / test1 / data / public-html

    otherwise

     fatal: bad ownership or modes for chroot directory "/home/test1/data"

    in /var/log/auth.log

    usually chroot is done simply to the home directory, but since you apparently don't want the user to have access to their own service files, you chroot in data, but you cannot change files in data, because its owner is root: root, so you need to make another directory in data with the owner test1: www-data And this directory must be configured as a home for the web server.

    • I applied these commands, edit / delete and so on I can not vseravno - Flasko 1
    • And everything seems to have figured out. Chown test1: www-data / home / test1 / data - Flasko 1
    • And how can I make another user in the user's folder? If I do as I showed above, then the Server unexpectedly closed network connection - Flasko 1
    • why else? there is a joke here, where you are doing a chroot, you cannot have an owner except root: I will add the answer. - zb '
    • It is clear) Thank you very much. I just wanted to make an SFTP access like this: Global access to / home / main_user / data (user main_user) And secondary access also from SFTP to / home / main_user / data / second_user / (user second_user) .. That would be the main user who had access to everything in his folder and mini users who had access to certain folders in the folder of the main user. It needs that several developers (with reduced rights) could not get full access to the code of the whole project. So here - Flasko 1