When managing web servers, it’s common to provide users with secure access to the website’s files. One way to do this is by granting SFTP (Secure File Transfer Protocol) access to the /var/www directory. This allows users to upload, download, and manage website files securely without granting full SSH access.

In this article, we will walk through the process of creating an SFTP user and restricting their access to the /var/www directory.

Step 1: Create a New SFTP User

We’ll create a new user specifically for SFTP access. This user will not need SSH access, which helps maintain security.

adduser sftpuser

This command creates a new user named sftpuser. You’ll be prompted to set a password and optional information like name and contact details. Follow the instructions to complete the setup.

Step 2: Modify SSH Configuration for SFTP

To restrict sftpuser to SFTP-only access, we need to modify the SSH configuration file.

1. Open the SSH configuration file:

nano /etc/ssh/sshd_config

Add the following at the end of the file:

Match User sftpuser
    ChrootDirectory /var/www
    ForceCommand internal-sftp
    AllowTcpForwarding no
    X11Forwarding no

Explanation:

  • Match User: Limits the settings to sftpuser.
  • ChrootDirectory: Restricts the user’s root directory to /var/www.
  • ForceCommand internal-sftp: Ensures the user can only use SFTP.
  • AllowTcpForwarding and X11Forwarding: Disable unnecessary services.

2. Save and close the file.

Step 3: Set Permissions on /var/www

To allow sftpuser to write in /var/www, we need to adjust the permissions.

1. Change the ownership of /var/www to root:

chown root:root /var/www

This ensures that sftpuser can access but not modify anything outside the /var/www directory.

2. Create a subdirectory in /var/www where the SFTP user can upload files:

mkdir /var/www/sftpuser_uploads

3. Set ownership of the subdirectory to sftpuser:

chown sftpuser:sftpuser /var/www/sftpuser_uploads

4. Adjust the permissions to allow read and write access:

chmod 755 /var/www
chmod 755 /var/www/sftpuser_uploads

These commands set the permissions so that sftpuser can upload and manage files inside sftpuser_uploads.

Step 4: Restart the SSH Service

After updating the configuration and permissions, restart the SSH service:

systemctl restart ssh

Step 5: Test SFTP Access

Now that the configuration is in place, you can test SFTP access.

1. Use an SFTP client like FileZilla or the command line to connect:

sftp sftpuser@your_server_ip

2. Navigate to /var/www/sftpuser_uploads and upload files. The user should only be able to modify files within this directory.

Conclusion

In this guide, we created an SFTP user and restricted their access to the /var/www directory. We also set permissions to allow them to manage files within a specific subdirectory. This setup ensures the security of the web files while allowing the SFTP user to perform their tasks. You can now easily grant SFTP user access to the /var/www directory on dedicated server hosting from Atlantic.Net!