User cannot connect via SFTP to /var/www/html/





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







1















I have an Ubuntu server on Amazon running LAMP and WordPress site. I created a user called ftpuser that will connect to from FTP client via SFTP protocol to a /var/www/html/site/ and have rights on it.




  1. I've created SSH keys, and the user connects to his /home/ftpuser/ folder.


  2. I've set



    usermod -m -d /var/www/html/site/ ftpuser


  3. Copied /home/ftpuser/.ssh/ to /var/www/html/site. I set the ownership to ftpuser.


  4. Added ftpuser to the www-data group.


But that does not work for me. The FTP user doesn't even connect. User actually connects only for the user’s initial home directory.



Do I have to change ownership of /var/www/html/site/ to a ftpuser, but in this case will the WordPress site stop working because www-data is set to run Apache, or I'm wrong?



In some manual it says:



chmod ug+w /var/www/html/site/
chmod g+s /var/www/html/site/
setfacl -d -m g::rwx /var/www/html/site/


I'm not sure that that will help me, and I don't want to get misconfigured the directories and stops the working website.



Any help please? Here are some infos about the directories:



ls -l /var/www/html/
drwxr-xr-x 12 www-data www-data 4096 Jan 29 13:16 site

ls -al /var/www/html/site/
drwx-w---- 2 ftpuser www-data 4096 Jan 29 13:16 .ssh

ls -l /var/www/html/site/.ssh/
-rw-r--r-- 1 ftpuser www-data 407 Jan 29 13:16 authorized_keys
-rw------- 1 ftpuser www-data 1675 Jan 29 13:16 id_rsa
-rw-r--r-- 1 ftpuser www-data 406 Jan 29 13:16 id_rsa.pub

getfacl /var/www/html/site/
getfacl: Removing leading '/' from absolute path names
# file: var/www/html/site/
# owner: www-data
# group: www-data
user::rwx
group::r-x
other::r-x

getfacl /var/www/html/site/.ssh/
getfacl: Removing leading '/' from absolute path names
# file: var/www/html/site/.ssh/
# owner: ftpuser
# group: www-data
user::rwx
group::-w-
other::---


Solved. In my case I also had to do:



chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys









share|improve this question

























  • Your methodology and explanation is hard to understand. First, changing a user’s home directory is a horrible idea. Just set a symbolic link to your home directory. Next, if you are on Amazon AWS, be sure you have the proper ports required for SFTP are open on your instance. If it is genuinely SFTP then it using the same port as SSH; port 22. If it is FTPS, then the port should be 21 or 990. You can adjust this in the Amazon AWS control panel for your instance; forget what Amazon’s name for the firewall tab is but that is it: A firewall issue.

    – JakeGould
    Jan 29 at 22:56











  • User actually connects, but only for his initial home directory.

    – Jake W.
    Jan 30 at 8:16


















1















I have an Ubuntu server on Amazon running LAMP and WordPress site. I created a user called ftpuser that will connect to from FTP client via SFTP protocol to a /var/www/html/site/ and have rights on it.




  1. I've created SSH keys, and the user connects to his /home/ftpuser/ folder.


  2. I've set



    usermod -m -d /var/www/html/site/ ftpuser


  3. Copied /home/ftpuser/.ssh/ to /var/www/html/site. I set the ownership to ftpuser.


  4. Added ftpuser to the www-data group.


But that does not work for me. The FTP user doesn't even connect. User actually connects only for the user’s initial home directory.



Do I have to change ownership of /var/www/html/site/ to a ftpuser, but in this case will the WordPress site stop working because www-data is set to run Apache, or I'm wrong?



In some manual it says:



chmod ug+w /var/www/html/site/
chmod g+s /var/www/html/site/
setfacl -d -m g::rwx /var/www/html/site/


I'm not sure that that will help me, and I don't want to get misconfigured the directories and stops the working website.



Any help please? Here are some infos about the directories:



ls -l /var/www/html/
drwxr-xr-x 12 www-data www-data 4096 Jan 29 13:16 site

ls -al /var/www/html/site/
drwx-w---- 2 ftpuser www-data 4096 Jan 29 13:16 .ssh

ls -l /var/www/html/site/.ssh/
-rw-r--r-- 1 ftpuser www-data 407 Jan 29 13:16 authorized_keys
-rw------- 1 ftpuser www-data 1675 Jan 29 13:16 id_rsa
-rw-r--r-- 1 ftpuser www-data 406 Jan 29 13:16 id_rsa.pub

getfacl /var/www/html/site/
getfacl: Removing leading '/' from absolute path names
# file: var/www/html/site/
# owner: www-data
# group: www-data
user::rwx
group::r-x
other::r-x

getfacl /var/www/html/site/.ssh/
getfacl: Removing leading '/' from absolute path names
# file: var/www/html/site/.ssh/
# owner: ftpuser
# group: www-data
user::rwx
group::-w-
other::---


Solved. In my case I also had to do:



chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys









share|improve this question

























  • Your methodology and explanation is hard to understand. First, changing a user’s home directory is a horrible idea. Just set a symbolic link to your home directory. Next, if you are on Amazon AWS, be sure you have the proper ports required for SFTP are open on your instance. If it is genuinely SFTP then it using the same port as SSH; port 22. If it is FTPS, then the port should be 21 or 990. You can adjust this in the Amazon AWS control panel for your instance; forget what Amazon’s name for the firewall tab is but that is it: A firewall issue.

    – JakeGould
    Jan 29 at 22:56











  • User actually connects, but only for his initial home directory.

    – Jake W.
    Jan 30 at 8:16














1












1








1








I have an Ubuntu server on Amazon running LAMP and WordPress site. I created a user called ftpuser that will connect to from FTP client via SFTP protocol to a /var/www/html/site/ and have rights on it.




  1. I've created SSH keys, and the user connects to his /home/ftpuser/ folder.


  2. I've set



    usermod -m -d /var/www/html/site/ ftpuser


  3. Copied /home/ftpuser/.ssh/ to /var/www/html/site. I set the ownership to ftpuser.


  4. Added ftpuser to the www-data group.


But that does not work for me. The FTP user doesn't even connect. User actually connects only for the user’s initial home directory.



Do I have to change ownership of /var/www/html/site/ to a ftpuser, but in this case will the WordPress site stop working because www-data is set to run Apache, or I'm wrong?



In some manual it says:



chmod ug+w /var/www/html/site/
chmod g+s /var/www/html/site/
setfacl -d -m g::rwx /var/www/html/site/


I'm not sure that that will help me, and I don't want to get misconfigured the directories and stops the working website.



Any help please? Here are some infos about the directories:



ls -l /var/www/html/
drwxr-xr-x 12 www-data www-data 4096 Jan 29 13:16 site

ls -al /var/www/html/site/
drwx-w---- 2 ftpuser www-data 4096 Jan 29 13:16 .ssh

ls -l /var/www/html/site/.ssh/
-rw-r--r-- 1 ftpuser www-data 407 Jan 29 13:16 authorized_keys
-rw------- 1 ftpuser www-data 1675 Jan 29 13:16 id_rsa
-rw-r--r-- 1 ftpuser www-data 406 Jan 29 13:16 id_rsa.pub

getfacl /var/www/html/site/
getfacl: Removing leading '/' from absolute path names
# file: var/www/html/site/
# owner: www-data
# group: www-data
user::rwx
group::r-x
other::r-x

getfacl /var/www/html/site/.ssh/
getfacl: Removing leading '/' from absolute path names
# file: var/www/html/site/.ssh/
# owner: ftpuser
# group: www-data
user::rwx
group::-w-
other::---


Solved. In my case I also had to do:



chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys









share|improve this question
















I have an Ubuntu server on Amazon running LAMP and WordPress site. I created a user called ftpuser that will connect to from FTP client via SFTP protocol to a /var/www/html/site/ and have rights on it.




  1. I've created SSH keys, and the user connects to his /home/ftpuser/ folder.


  2. I've set



    usermod -m -d /var/www/html/site/ ftpuser


  3. Copied /home/ftpuser/.ssh/ to /var/www/html/site. I set the ownership to ftpuser.


  4. Added ftpuser to the www-data group.


But that does not work for me. The FTP user doesn't even connect. User actually connects only for the user’s initial home directory.



Do I have to change ownership of /var/www/html/site/ to a ftpuser, but in this case will the WordPress site stop working because www-data is set to run Apache, or I'm wrong?



In some manual it says:



chmod ug+w /var/www/html/site/
chmod g+s /var/www/html/site/
setfacl -d -m g::rwx /var/www/html/site/


I'm not sure that that will help me, and I don't want to get misconfigured the directories and stops the working website.



Any help please? Here are some infos about the directories:



ls -l /var/www/html/
drwxr-xr-x 12 www-data www-data 4096 Jan 29 13:16 site

ls -al /var/www/html/site/
drwx-w---- 2 ftpuser www-data 4096 Jan 29 13:16 .ssh

ls -l /var/www/html/site/.ssh/
-rw-r--r-- 1 ftpuser www-data 407 Jan 29 13:16 authorized_keys
-rw------- 1 ftpuser www-data 1675 Jan 29 13:16 id_rsa
-rw-r--r-- 1 ftpuser www-data 406 Jan 29 13:16 id_rsa.pub

getfacl /var/www/html/site/
getfacl: Removing leading '/' from absolute path names
# file: var/www/html/site/
# owner: www-data
# group: www-data
user::rwx
group::r-x
other::r-x

getfacl /var/www/html/site/.ssh/
getfacl: Removing leading '/' from absolute path names
# file: var/www/html/site/.ssh/
# owner: ftpuser
# group: www-data
user::rwx
group::-w-
other::---


Solved. In my case I also had to do:



chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys






linux ubuntu ssh ftp sftp






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Feb 1 at 10:00







Jake W.

















asked Jan 29 at 20:54









Jake W.Jake W.

84




84













  • Your methodology and explanation is hard to understand. First, changing a user’s home directory is a horrible idea. Just set a symbolic link to your home directory. Next, if you are on Amazon AWS, be sure you have the proper ports required for SFTP are open on your instance. If it is genuinely SFTP then it using the same port as SSH; port 22. If it is FTPS, then the port should be 21 or 990. You can adjust this in the Amazon AWS control panel for your instance; forget what Amazon’s name for the firewall tab is but that is it: A firewall issue.

    – JakeGould
    Jan 29 at 22:56











  • User actually connects, but only for his initial home directory.

    – Jake W.
    Jan 30 at 8:16



















  • Your methodology and explanation is hard to understand. First, changing a user’s home directory is a horrible idea. Just set a symbolic link to your home directory. Next, if you are on Amazon AWS, be sure you have the proper ports required for SFTP are open on your instance. If it is genuinely SFTP then it using the same port as SSH; port 22. If it is FTPS, then the port should be 21 or 990. You can adjust this in the Amazon AWS control panel for your instance; forget what Amazon’s name for the firewall tab is but that is it: A firewall issue.

    – JakeGould
    Jan 29 at 22:56











  • User actually connects, but only for his initial home directory.

    – Jake W.
    Jan 30 at 8:16

















Your methodology and explanation is hard to understand. First, changing a user’s home directory is a horrible idea. Just set a symbolic link to your home directory. Next, if you are on Amazon AWS, be sure you have the proper ports required for SFTP are open on your instance. If it is genuinely SFTP then it using the same port as SSH; port 22. If it is FTPS, then the port should be 21 or 990. You can adjust this in the Amazon AWS control panel for your instance; forget what Amazon’s name for the firewall tab is but that is it: A firewall issue.

– JakeGould
Jan 29 at 22:56





Your methodology and explanation is hard to understand. First, changing a user’s home directory is a horrible idea. Just set a symbolic link to your home directory. Next, if you are on Amazon AWS, be sure you have the proper ports required for SFTP are open on your instance. If it is genuinely SFTP then it using the same port as SSH; port 22. If it is FTPS, then the port should be 21 or 990. You can adjust this in the Amazon AWS control panel for your instance; forget what Amazon’s name for the firewall tab is but that is it: A firewall issue.

– JakeGould
Jan 29 at 22:56













User actually connects, but only for his initial home directory.

– Jake W.
Jan 30 at 8:16





User actually connects, but only for his initial home directory.

– Jake W.
Jan 30 at 8:16










1 Answer
1






active

oldest

votes


















2














First, you say "the FTP user doesn't even connect." If the user is getting errors like Connection timed out, you most likely have a firewall/iptables problem and you'll need to fix that first. SFTP uses the same TCP port as SSH: by default that is 22.



Second, for security reasons, a regular user's home directory is usually owned by either the user itself (the normal case) or root (for special-purpose users). Also, in order to access their home directory, a user needs to have at least the x (directory access) permission to all the (grand)parent directories of their home directory, all the way to root. If these requirements are not satisfied, sshd may assume foul play and disallow logins (shell and SFTP) for that user. If the SFTP client successfully receives the server's host key, but then gets disconnected, this might be what's happening.



sshd also requires that the user's home directory, any (grand)parent directories all the way to the root directory, the .ssh sub-directory and the authorized_keys file in it are not writeable by other users, or else sshd will assume that any "authorized keys" are inserted by another malicious user and won't trust them. Putting the user's home directory in the middle of the HTTP server's subtree can make it more difficult to satisfy these requirements.



If the system has SELinux or other extra security measures in effect, trying to place an user's home directory into a non-standard location may require extra steps. In general, it will be much easier to just create a symbolic link to the ftpuser's home directory, pointing to the actual location of the site. The user will need to deal with one sub-directory, but that is usually tolerable.



I'd recommend first restoring the user's home directory location to normal:



usermod -d /home/ftpuser ftpuser


Then creating the symbolic link:



ln -s /var/www/html/site /home/ftpuser/site


Then start testing. First try to get the FTP user to at least connect: check the server's logs to see if a network connection gets established. Then make sure SSH key authentication works. Only after that it's time to worry about file permissions. It might be better for you to write a separate question about those.



And if you want the ftpuser to see only the contents of the web site and no other parts of the system, that's a special case: that's a chrooted SFTP account and it has some extra requirements, depending on the version of sshd used in the system. It might be easier to have ftpuser be jailed to their standard home directory, and then make the site accessible within the jail using a bind mount:



mkdir /home/ftpuser/site  #empty directory for a mount point
mount -o bind,rw /var/www/html/site /home/ftpuser/site


Similar to the symbolic link, this is just another, chroot-compatible way for the ftpuser to "see" the site directory as a sub-directory of their home directory: it won't affect the operations of the site at all.



(Symbolic links cannot point from the inside of a chroot jail to the outside world, but a bind mount can make parts of other filesystems accessible within the jail.)



When setting up a website directory tree to be maintained by non-root users, there may be a number of access categories to consider:




  • a) Directories and files that you want to be readable by both the web server and the maintainers, but not modifiable by either of them: this might include privileged CGI scripts or other similar parts of the site's infrastructure.

  • b) Directories and files that you want to be modifiable by the site maintainer(s), but only readable by the web server: this would be static content you want to be protected from defacement even if an intruder finds a new WordPress vulnerability or other attack vector.

  • c) Directories and files that need to be modifiable by WordPress and/or other processes running as part of the web server, and also by the site maintainer(s). This would be essentially WordPress and all the content managed by it.

  • d) Directories and files that are modifiable by WordPress only. By default, WordPress automatically makes sure its database files are protected like this.


Files and directories in categories a) and b) are easy: they can be owned by any user/group other than www-data. The only requirement is that they are readable by the www-data user, and the world-readable/accessible permission bits will cover that.



Files and directories in category a) might be owned by user root, group root and have permissions like -rw-r--r-- for regular files, -rwxr-xr-x for executable files and drwxr-xr-x for directories.



If your site includes files in category b), you may want to create a second group wwwadmin and make ftpuser a member of that group too. For this group, it is important that user www-data is not a member.



The files and directories in category b) would be owned by user ftpuser (or whoever), group wwwadmin, and permissions -rw-rw-r-- for regular files, -rwxrwxr-x for executable files and drwxrwxr-x for directories.



If Apache runs as the www-data user, any new files created by WordPress and/or any other site components will be owned by user www-data, group www-data. Since your ftpuser is already a member of the www-data group, you'll only need to ensure that in category c) all files have basic permissions rw-rw-r-- and any directories permissions drwxrwxr-x. That would mean adding the group write permission to all files owned by www-data and configuring Apache and/or WordPress to use umask 002. In Ubuntu, I think the Apache umask can be set in the /etc/apache2/envvars file. WordPress may override the web server default umask, so you might need to configure it separately.



To make all the files and directories owned by the www-data group have the right group access permissions, run this command:



find /var/www/html/site -group www-data -exec chmod g+rwX {} +


You may also want to add the setgid permission bit to all directories owned by the www-data user, to ensure that all new files and sub-directories added to them will automatically become owned by the www-data group even if it isn't the primary group of the user adding the file/directory:



find /var/www/html/site -type d -group www-data -exec chmod g+s {} +


This changes group permissions drwxrwxr-x to drwxrwsr-x, and removes the need for ftpuser to manually use chgrp www-data after adding any new files.



If you change the default umask setting for ftpuser to 002 (if it isn't that already), any new files they create will have group write access by default. That helps when modifying category c) files, and should not hurt with any other files in regular Ubuntu. Of course, their SFTP client may attempt to maintain the existing permissions of the files when transferring them, which may require some tweaking at the client side.



If you want to allow ftpuser to manipulate files of category d), the user needs to know that as long as they have write access to the directory the file is in, and the file is readable, they can always take up ownership of the file by making a copy of the file and then deleting the original.






share|improve this answer


























  • Thanks for the advice. As I mentioned, actually ftpuser connects good to his home directory via ftpzilla sftp protocol, no problem on that, there is no firewall or something. The problem is when I try to set for ftpuser the directory that needs to be edited by ftpuser. Also you said "mount -o bind,rw /var/www/html/site /home/ftpuser/site" , so that will not affect to /var/www/html/site? because I have running website. M? Thanks

    – Jake W.
    Jan 30 at 7:02













  • Edited for the permissions advice (which admittedly made this answer rather long). No, the bind mount won't harm the site.

    – telcoM
    Jan 30 at 8:38












Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1399812%2fuser-cannot-connect-via-sftp-to-var-www-html%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









2














First, you say "the FTP user doesn't even connect." If the user is getting errors like Connection timed out, you most likely have a firewall/iptables problem and you'll need to fix that first. SFTP uses the same TCP port as SSH: by default that is 22.



Second, for security reasons, a regular user's home directory is usually owned by either the user itself (the normal case) or root (for special-purpose users). Also, in order to access their home directory, a user needs to have at least the x (directory access) permission to all the (grand)parent directories of their home directory, all the way to root. If these requirements are not satisfied, sshd may assume foul play and disallow logins (shell and SFTP) for that user. If the SFTP client successfully receives the server's host key, but then gets disconnected, this might be what's happening.



sshd also requires that the user's home directory, any (grand)parent directories all the way to the root directory, the .ssh sub-directory and the authorized_keys file in it are not writeable by other users, or else sshd will assume that any "authorized keys" are inserted by another malicious user and won't trust them. Putting the user's home directory in the middle of the HTTP server's subtree can make it more difficult to satisfy these requirements.



If the system has SELinux or other extra security measures in effect, trying to place an user's home directory into a non-standard location may require extra steps. In general, it will be much easier to just create a symbolic link to the ftpuser's home directory, pointing to the actual location of the site. The user will need to deal with one sub-directory, but that is usually tolerable.



I'd recommend first restoring the user's home directory location to normal:



usermod -d /home/ftpuser ftpuser


Then creating the symbolic link:



ln -s /var/www/html/site /home/ftpuser/site


Then start testing. First try to get the FTP user to at least connect: check the server's logs to see if a network connection gets established. Then make sure SSH key authentication works. Only after that it's time to worry about file permissions. It might be better for you to write a separate question about those.



And if you want the ftpuser to see only the contents of the web site and no other parts of the system, that's a special case: that's a chrooted SFTP account and it has some extra requirements, depending on the version of sshd used in the system. It might be easier to have ftpuser be jailed to their standard home directory, and then make the site accessible within the jail using a bind mount:



mkdir /home/ftpuser/site  #empty directory for a mount point
mount -o bind,rw /var/www/html/site /home/ftpuser/site


Similar to the symbolic link, this is just another, chroot-compatible way for the ftpuser to "see" the site directory as a sub-directory of their home directory: it won't affect the operations of the site at all.



(Symbolic links cannot point from the inside of a chroot jail to the outside world, but a bind mount can make parts of other filesystems accessible within the jail.)



When setting up a website directory tree to be maintained by non-root users, there may be a number of access categories to consider:




  • a) Directories and files that you want to be readable by both the web server and the maintainers, but not modifiable by either of them: this might include privileged CGI scripts or other similar parts of the site's infrastructure.

  • b) Directories and files that you want to be modifiable by the site maintainer(s), but only readable by the web server: this would be static content you want to be protected from defacement even if an intruder finds a new WordPress vulnerability or other attack vector.

  • c) Directories and files that need to be modifiable by WordPress and/or other processes running as part of the web server, and also by the site maintainer(s). This would be essentially WordPress and all the content managed by it.

  • d) Directories and files that are modifiable by WordPress only. By default, WordPress automatically makes sure its database files are protected like this.


Files and directories in categories a) and b) are easy: they can be owned by any user/group other than www-data. The only requirement is that they are readable by the www-data user, and the world-readable/accessible permission bits will cover that.



Files and directories in category a) might be owned by user root, group root and have permissions like -rw-r--r-- for regular files, -rwxr-xr-x for executable files and drwxr-xr-x for directories.



If your site includes files in category b), you may want to create a second group wwwadmin and make ftpuser a member of that group too. For this group, it is important that user www-data is not a member.



The files and directories in category b) would be owned by user ftpuser (or whoever), group wwwadmin, and permissions -rw-rw-r-- for regular files, -rwxrwxr-x for executable files and drwxrwxr-x for directories.



If Apache runs as the www-data user, any new files created by WordPress and/or any other site components will be owned by user www-data, group www-data. Since your ftpuser is already a member of the www-data group, you'll only need to ensure that in category c) all files have basic permissions rw-rw-r-- and any directories permissions drwxrwxr-x. That would mean adding the group write permission to all files owned by www-data and configuring Apache and/or WordPress to use umask 002. In Ubuntu, I think the Apache umask can be set in the /etc/apache2/envvars file. WordPress may override the web server default umask, so you might need to configure it separately.



To make all the files and directories owned by the www-data group have the right group access permissions, run this command:



find /var/www/html/site -group www-data -exec chmod g+rwX {} +


You may also want to add the setgid permission bit to all directories owned by the www-data user, to ensure that all new files and sub-directories added to them will automatically become owned by the www-data group even if it isn't the primary group of the user adding the file/directory:



find /var/www/html/site -type d -group www-data -exec chmod g+s {} +


This changes group permissions drwxrwxr-x to drwxrwsr-x, and removes the need for ftpuser to manually use chgrp www-data after adding any new files.



If you change the default umask setting for ftpuser to 002 (if it isn't that already), any new files they create will have group write access by default. That helps when modifying category c) files, and should not hurt with any other files in regular Ubuntu. Of course, their SFTP client may attempt to maintain the existing permissions of the files when transferring them, which may require some tweaking at the client side.



If you want to allow ftpuser to manipulate files of category d), the user needs to know that as long as they have write access to the directory the file is in, and the file is readable, they can always take up ownership of the file by making a copy of the file and then deleting the original.






share|improve this answer


























  • Thanks for the advice. As I mentioned, actually ftpuser connects good to his home directory via ftpzilla sftp protocol, no problem on that, there is no firewall or something. The problem is when I try to set for ftpuser the directory that needs to be edited by ftpuser. Also you said "mount -o bind,rw /var/www/html/site /home/ftpuser/site" , so that will not affect to /var/www/html/site? because I have running website. M? Thanks

    – Jake W.
    Jan 30 at 7:02













  • Edited for the permissions advice (which admittedly made this answer rather long). No, the bind mount won't harm the site.

    – telcoM
    Jan 30 at 8:38
















2














First, you say "the FTP user doesn't even connect." If the user is getting errors like Connection timed out, you most likely have a firewall/iptables problem and you'll need to fix that first. SFTP uses the same TCP port as SSH: by default that is 22.



Second, for security reasons, a regular user's home directory is usually owned by either the user itself (the normal case) or root (for special-purpose users). Also, in order to access their home directory, a user needs to have at least the x (directory access) permission to all the (grand)parent directories of their home directory, all the way to root. If these requirements are not satisfied, sshd may assume foul play and disallow logins (shell and SFTP) for that user. If the SFTP client successfully receives the server's host key, but then gets disconnected, this might be what's happening.



sshd also requires that the user's home directory, any (grand)parent directories all the way to the root directory, the .ssh sub-directory and the authorized_keys file in it are not writeable by other users, or else sshd will assume that any "authorized keys" are inserted by another malicious user and won't trust them. Putting the user's home directory in the middle of the HTTP server's subtree can make it more difficult to satisfy these requirements.



If the system has SELinux or other extra security measures in effect, trying to place an user's home directory into a non-standard location may require extra steps. In general, it will be much easier to just create a symbolic link to the ftpuser's home directory, pointing to the actual location of the site. The user will need to deal with one sub-directory, but that is usually tolerable.



I'd recommend first restoring the user's home directory location to normal:



usermod -d /home/ftpuser ftpuser


Then creating the symbolic link:



ln -s /var/www/html/site /home/ftpuser/site


Then start testing. First try to get the FTP user to at least connect: check the server's logs to see if a network connection gets established. Then make sure SSH key authentication works. Only after that it's time to worry about file permissions. It might be better for you to write a separate question about those.



And if you want the ftpuser to see only the contents of the web site and no other parts of the system, that's a special case: that's a chrooted SFTP account and it has some extra requirements, depending on the version of sshd used in the system. It might be easier to have ftpuser be jailed to their standard home directory, and then make the site accessible within the jail using a bind mount:



mkdir /home/ftpuser/site  #empty directory for a mount point
mount -o bind,rw /var/www/html/site /home/ftpuser/site


Similar to the symbolic link, this is just another, chroot-compatible way for the ftpuser to "see" the site directory as a sub-directory of their home directory: it won't affect the operations of the site at all.



(Symbolic links cannot point from the inside of a chroot jail to the outside world, but a bind mount can make parts of other filesystems accessible within the jail.)



When setting up a website directory tree to be maintained by non-root users, there may be a number of access categories to consider:




  • a) Directories and files that you want to be readable by both the web server and the maintainers, but not modifiable by either of them: this might include privileged CGI scripts or other similar parts of the site's infrastructure.

  • b) Directories and files that you want to be modifiable by the site maintainer(s), but only readable by the web server: this would be static content you want to be protected from defacement even if an intruder finds a new WordPress vulnerability or other attack vector.

  • c) Directories and files that need to be modifiable by WordPress and/or other processes running as part of the web server, and also by the site maintainer(s). This would be essentially WordPress and all the content managed by it.

  • d) Directories and files that are modifiable by WordPress only. By default, WordPress automatically makes sure its database files are protected like this.


Files and directories in categories a) and b) are easy: they can be owned by any user/group other than www-data. The only requirement is that they are readable by the www-data user, and the world-readable/accessible permission bits will cover that.



Files and directories in category a) might be owned by user root, group root and have permissions like -rw-r--r-- for regular files, -rwxr-xr-x for executable files and drwxr-xr-x for directories.



If your site includes files in category b), you may want to create a second group wwwadmin and make ftpuser a member of that group too. For this group, it is important that user www-data is not a member.



The files and directories in category b) would be owned by user ftpuser (or whoever), group wwwadmin, and permissions -rw-rw-r-- for regular files, -rwxrwxr-x for executable files and drwxrwxr-x for directories.



If Apache runs as the www-data user, any new files created by WordPress and/or any other site components will be owned by user www-data, group www-data. Since your ftpuser is already a member of the www-data group, you'll only need to ensure that in category c) all files have basic permissions rw-rw-r-- and any directories permissions drwxrwxr-x. That would mean adding the group write permission to all files owned by www-data and configuring Apache and/or WordPress to use umask 002. In Ubuntu, I think the Apache umask can be set in the /etc/apache2/envvars file. WordPress may override the web server default umask, so you might need to configure it separately.



To make all the files and directories owned by the www-data group have the right group access permissions, run this command:



find /var/www/html/site -group www-data -exec chmod g+rwX {} +


You may also want to add the setgid permission bit to all directories owned by the www-data user, to ensure that all new files and sub-directories added to them will automatically become owned by the www-data group even if it isn't the primary group of the user adding the file/directory:



find /var/www/html/site -type d -group www-data -exec chmod g+s {} +


This changes group permissions drwxrwxr-x to drwxrwsr-x, and removes the need for ftpuser to manually use chgrp www-data after adding any new files.



If you change the default umask setting for ftpuser to 002 (if it isn't that already), any new files they create will have group write access by default. That helps when modifying category c) files, and should not hurt with any other files in regular Ubuntu. Of course, their SFTP client may attempt to maintain the existing permissions of the files when transferring them, which may require some tweaking at the client side.



If you want to allow ftpuser to manipulate files of category d), the user needs to know that as long as they have write access to the directory the file is in, and the file is readable, they can always take up ownership of the file by making a copy of the file and then deleting the original.






share|improve this answer


























  • Thanks for the advice. As I mentioned, actually ftpuser connects good to his home directory via ftpzilla sftp protocol, no problem on that, there is no firewall or something. The problem is when I try to set for ftpuser the directory that needs to be edited by ftpuser. Also you said "mount -o bind,rw /var/www/html/site /home/ftpuser/site" , so that will not affect to /var/www/html/site? because I have running website. M? Thanks

    – Jake W.
    Jan 30 at 7:02













  • Edited for the permissions advice (which admittedly made this answer rather long). No, the bind mount won't harm the site.

    – telcoM
    Jan 30 at 8:38














2












2








2







First, you say "the FTP user doesn't even connect." If the user is getting errors like Connection timed out, you most likely have a firewall/iptables problem and you'll need to fix that first. SFTP uses the same TCP port as SSH: by default that is 22.



Second, for security reasons, a regular user's home directory is usually owned by either the user itself (the normal case) or root (for special-purpose users). Also, in order to access their home directory, a user needs to have at least the x (directory access) permission to all the (grand)parent directories of their home directory, all the way to root. If these requirements are not satisfied, sshd may assume foul play and disallow logins (shell and SFTP) for that user. If the SFTP client successfully receives the server's host key, but then gets disconnected, this might be what's happening.



sshd also requires that the user's home directory, any (grand)parent directories all the way to the root directory, the .ssh sub-directory and the authorized_keys file in it are not writeable by other users, or else sshd will assume that any "authorized keys" are inserted by another malicious user and won't trust them. Putting the user's home directory in the middle of the HTTP server's subtree can make it more difficult to satisfy these requirements.



If the system has SELinux or other extra security measures in effect, trying to place an user's home directory into a non-standard location may require extra steps. In general, it will be much easier to just create a symbolic link to the ftpuser's home directory, pointing to the actual location of the site. The user will need to deal with one sub-directory, but that is usually tolerable.



I'd recommend first restoring the user's home directory location to normal:



usermod -d /home/ftpuser ftpuser


Then creating the symbolic link:



ln -s /var/www/html/site /home/ftpuser/site


Then start testing. First try to get the FTP user to at least connect: check the server's logs to see if a network connection gets established. Then make sure SSH key authentication works. Only after that it's time to worry about file permissions. It might be better for you to write a separate question about those.



And if you want the ftpuser to see only the contents of the web site and no other parts of the system, that's a special case: that's a chrooted SFTP account and it has some extra requirements, depending on the version of sshd used in the system. It might be easier to have ftpuser be jailed to their standard home directory, and then make the site accessible within the jail using a bind mount:



mkdir /home/ftpuser/site  #empty directory for a mount point
mount -o bind,rw /var/www/html/site /home/ftpuser/site


Similar to the symbolic link, this is just another, chroot-compatible way for the ftpuser to "see" the site directory as a sub-directory of their home directory: it won't affect the operations of the site at all.



(Symbolic links cannot point from the inside of a chroot jail to the outside world, but a bind mount can make parts of other filesystems accessible within the jail.)



When setting up a website directory tree to be maintained by non-root users, there may be a number of access categories to consider:




  • a) Directories and files that you want to be readable by both the web server and the maintainers, but not modifiable by either of them: this might include privileged CGI scripts or other similar parts of the site's infrastructure.

  • b) Directories and files that you want to be modifiable by the site maintainer(s), but only readable by the web server: this would be static content you want to be protected from defacement even if an intruder finds a new WordPress vulnerability or other attack vector.

  • c) Directories and files that need to be modifiable by WordPress and/or other processes running as part of the web server, and also by the site maintainer(s). This would be essentially WordPress and all the content managed by it.

  • d) Directories and files that are modifiable by WordPress only. By default, WordPress automatically makes sure its database files are protected like this.


Files and directories in categories a) and b) are easy: they can be owned by any user/group other than www-data. The only requirement is that they are readable by the www-data user, and the world-readable/accessible permission bits will cover that.



Files and directories in category a) might be owned by user root, group root and have permissions like -rw-r--r-- for regular files, -rwxr-xr-x for executable files and drwxr-xr-x for directories.



If your site includes files in category b), you may want to create a second group wwwadmin and make ftpuser a member of that group too. For this group, it is important that user www-data is not a member.



The files and directories in category b) would be owned by user ftpuser (or whoever), group wwwadmin, and permissions -rw-rw-r-- for regular files, -rwxrwxr-x for executable files and drwxrwxr-x for directories.



If Apache runs as the www-data user, any new files created by WordPress and/or any other site components will be owned by user www-data, group www-data. Since your ftpuser is already a member of the www-data group, you'll only need to ensure that in category c) all files have basic permissions rw-rw-r-- and any directories permissions drwxrwxr-x. That would mean adding the group write permission to all files owned by www-data and configuring Apache and/or WordPress to use umask 002. In Ubuntu, I think the Apache umask can be set in the /etc/apache2/envvars file. WordPress may override the web server default umask, so you might need to configure it separately.



To make all the files and directories owned by the www-data group have the right group access permissions, run this command:



find /var/www/html/site -group www-data -exec chmod g+rwX {} +


You may also want to add the setgid permission bit to all directories owned by the www-data user, to ensure that all new files and sub-directories added to them will automatically become owned by the www-data group even if it isn't the primary group of the user adding the file/directory:



find /var/www/html/site -type d -group www-data -exec chmod g+s {} +


This changes group permissions drwxrwxr-x to drwxrwsr-x, and removes the need for ftpuser to manually use chgrp www-data after adding any new files.



If you change the default umask setting for ftpuser to 002 (if it isn't that already), any new files they create will have group write access by default. That helps when modifying category c) files, and should not hurt with any other files in regular Ubuntu. Of course, their SFTP client may attempt to maintain the existing permissions of the files when transferring them, which may require some tweaking at the client side.



If you want to allow ftpuser to manipulate files of category d), the user needs to know that as long as they have write access to the directory the file is in, and the file is readable, they can always take up ownership of the file by making a copy of the file and then deleting the original.






share|improve this answer















First, you say "the FTP user doesn't even connect." If the user is getting errors like Connection timed out, you most likely have a firewall/iptables problem and you'll need to fix that first. SFTP uses the same TCP port as SSH: by default that is 22.



Second, for security reasons, a regular user's home directory is usually owned by either the user itself (the normal case) or root (for special-purpose users). Also, in order to access their home directory, a user needs to have at least the x (directory access) permission to all the (grand)parent directories of their home directory, all the way to root. If these requirements are not satisfied, sshd may assume foul play and disallow logins (shell and SFTP) for that user. If the SFTP client successfully receives the server's host key, but then gets disconnected, this might be what's happening.



sshd also requires that the user's home directory, any (grand)parent directories all the way to the root directory, the .ssh sub-directory and the authorized_keys file in it are not writeable by other users, or else sshd will assume that any "authorized keys" are inserted by another malicious user and won't trust them. Putting the user's home directory in the middle of the HTTP server's subtree can make it more difficult to satisfy these requirements.



If the system has SELinux or other extra security measures in effect, trying to place an user's home directory into a non-standard location may require extra steps. In general, it will be much easier to just create a symbolic link to the ftpuser's home directory, pointing to the actual location of the site. The user will need to deal with one sub-directory, but that is usually tolerable.



I'd recommend first restoring the user's home directory location to normal:



usermod -d /home/ftpuser ftpuser


Then creating the symbolic link:



ln -s /var/www/html/site /home/ftpuser/site


Then start testing. First try to get the FTP user to at least connect: check the server's logs to see if a network connection gets established. Then make sure SSH key authentication works. Only after that it's time to worry about file permissions. It might be better for you to write a separate question about those.



And if you want the ftpuser to see only the contents of the web site and no other parts of the system, that's a special case: that's a chrooted SFTP account and it has some extra requirements, depending on the version of sshd used in the system. It might be easier to have ftpuser be jailed to their standard home directory, and then make the site accessible within the jail using a bind mount:



mkdir /home/ftpuser/site  #empty directory for a mount point
mount -o bind,rw /var/www/html/site /home/ftpuser/site


Similar to the symbolic link, this is just another, chroot-compatible way for the ftpuser to "see" the site directory as a sub-directory of their home directory: it won't affect the operations of the site at all.



(Symbolic links cannot point from the inside of a chroot jail to the outside world, but a bind mount can make parts of other filesystems accessible within the jail.)



When setting up a website directory tree to be maintained by non-root users, there may be a number of access categories to consider:




  • a) Directories and files that you want to be readable by both the web server and the maintainers, but not modifiable by either of them: this might include privileged CGI scripts or other similar parts of the site's infrastructure.

  • b) Directories and files that you want to be modifiable by the site maintainer(s), but only readable by the web server: this would be static content you want to be protected from defacement even if an intruder finds a new WordPress vulnerability or other attack vector.

  • c) Directories and files that need to be modifiable by WordPress and/or other processes running as part of the web server, and also by the site maintainer(s). This would be essentially WordPress and all the content managed by it.

  • d) Directories and files that are modifiable by WordPress only. By default, WordPress automatically makes sure its database files are protected like this.


Files and directories in categories a) and b) are easy: they can be owned by any user/group other than www-data. The only requirement is that they are readable by the www-data user, and the world-readable/accessible permission bits will cover that.



Files and directories in category a) might be owned by user root, group root and have permissions like -rw-r--r-- for regular files, -rwxr-xr-x for executable files and drwxr-xr-x for directories.



If your site includes files in category b), you may want to create a second group wwwadmin and make ftpuser a member of that group too. For this group, it is important that user www-data is not a member.



The files and directories in category b) would be owned by user ftpuser (or whoever), group wwwadmin, and permissions -rw-rw-r-- for regular files, -rwxrwxr-x for executable files and drwxrwxr-x for directories.



If Apache runs as the www-data user, any new files created by WordPress and/or any other site components will be owned by user www-data, group www-data. Since your ftpuser is already a member of the www-data group, you'll only need to ensure that in category c) all files have basic permissions rw-rw-r-- and any directories permissions drwxrwxr-x. That would mean adding the group write permission to all files owned by www-data and configuring Apache and/or WordPress to use umask 002. In Ubuntu, I think the Apache umask can be set in the /etc/apache2/envvars file. WordPress may override the web server default umask, so you might need to configure it separately.



To make all the files and directories owned by the www-data group have the right group access permissions, run this command:



find /var/www/html/site -group www-data -exec chmod g+rwX {} +


You may also want to add the setgid permission bit to all directories owned by the www-data user, to ensure that all new files and sub-directories added to them will automatically become owned by the www-data group even if it isn't the primary group of the user adding the file/directory:



find /var/www/html/site -type d -group www-data -exec chmod g+s {} +


This changes group permissions drwxrwxr-x to drwxrwsr-x, and removes the need for ftpuser to manually use chgrp www-data after adding any new files.



If you change the default umask setting for ftpuser to 002 (if it isn't that already), any new files they create will have group write access by default. That helps when modifying category c) files, and should not hurt with any other files in regular Ubuntu. Of course, their SFTP client may attempt to maintain the existing permissions of the files when transferring them, which may require some tweaking at the client side.



If you want to allow ftpuser to manipulate files of category d), the user needs to know that as long as they have write access to the directory the file is in, and the file is readable, they can always take up ownership of the file by making a copy of the file and then deleting the original.







share|improve this answer














share|improve this answer



share|improve this answer








edited Jan 30 at 8:38

























answered Jan 29 at 22:44









telcoMtelcoM

1,4841612




1,4841612













  • Thanks for the advice. As I mentioned, actually ftpuser connects good to his home directory via ftpzilla sftp protocol, no problem on that, there is no firewall or something. The problem is when I try to set for ftpuser the directory that needs to be edited by ftpuser. Also you said "mount -o bind,rw /var/www/html/site /home/ftpuser/site" , so that will not affect to /var/www/html/site? because I have running website. M? Thanks

    – Jake W.
    Jan 30 at 7:02













  • Edited for the permissions advice (which admittedly made this answer rather long). No, the bind mount won't harm the site.

    – telcoM
    Jan 30 at 8:38



















  • Thanks for the advice. As I mentioned, actually ftpuser connects good to his home directory via ftpzilla sftp protocol, no problem on that, there is no firewall or something. The problem is when I try to set for ftpuser the directory that needs to be edited by ftpuser. Also you said "mount -o bind,rw /var/www/html/site /home/ftpuser/site" , so that will not affect to /var/www/html/site? because I have running website. M? Thanks

    – Jake W.
    Jan 30 at 7:02













  • Edited for the permissions advice (which admittedly made this answer rather long). No, the bind mount won't harm the site.

    – telcoM
    Jan 30 at 8:38

















Thanks for the advice. As I mentioned, actually ftpuser connects good to his home directory via ftpzilla sftp protocol, no problem on that, there is no firewall or something. The problem is when I try to set for ftpuser the directory that needs to be edited by ftpuser. Also you said "mount -o bind,rw /var/www/html/site /home/ftpuser/site" , so that will not affect to /var/www/html/site? because I have running website. M? Thanks

– Jake W.
Jan 30 at 7:02







Thanks for the advice. As I mentioned, actually ftpuser connects good to his home directory via ftpzilla sftp protocol, no problem on that, there is no firewall or something. The problem is when I try to set for ftpuser the directory that needs to be edited by ftpuser. Also you said "mount -o bind,rw /var/www/html/site /home/ftpuser/site" , so that will not affect to /var/www/html/site? because I have running website. M? Thanks

– Jake W.
Jan 30 at 7:02















Edited for the permissions advice (which admittedly made this answer rather long). No, the bind mount won't harm the site.

– telcoM
Jan 30 at 8:38





Edited for the permissions advice (which admittedly made this answer rather long). No, the bind mount won't harm the site.

– telcoM
Jan 30 at 8:38


















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1399812%2fuser-cannot-connect-via-sftp-to-var-www-html%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

"Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

Alcedinidae

Origin of the phrase “under your belt”?