When managing web servers, it’s common to provide users with secure access to the website’s files. One way to do this is by granting SFTP (Secure File Transfer Protocol) access to the /var/www directory. This allows users to upload, download, and manage website files securely without granting full SSH access.
In this article, we will walk through the process of creating an SFTP user and restricting their access to the /var/www directory.
Step 1: Create a New SFTP User
We’ll create a new user specifically for SFTP access. This user will not need SSH access, which helps maintain security.
adduser sftpuser
This command creates a new user named sftpuser. You’ll be prompted to set a password and optional information like name and contact details. Follow the instructions to complete the setup.
Step 2: Modify SSH Configuration for SFTP
To restrict sftpuser to SFTP-only access, we need to modify the SSH configuration file.
1. Open the SSH configuration file:
nano /etc/ssh/sshd_config
Add the following at the end of the file:
Match User sftpuser
ChrootDirectory /var/www
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
Explanation:
- Match User: Limits the settings to sftpuser.
- ChrootDirectory: Restricts the user’s root directory to /var/www.
- ForceCommand internal-sftp: Ensures the user can only use SFTP.
- AllowTcpForwarding and X11Forwarding: Disable unnecessary services.
2. Save and close the file.
Step 3: Set Permissions on /var/www
To allow sftpuser to write in /var/www, we need to adjust the permissions.
1. Change the ownership of /var/www to root:
chown root:root /var/www
This ensures that sftpuser can access but not modify anything outside the /var/www directory.
2. Create a subdirectory in /var/www where the SFTP user can upload files:
mkdir /var/www/sftpuser_uploads
3. Set ownership of the subdirectory to sftpuser:
chown sftpuser:sftpuser /var/www/sftpuser_uploads
4. Adjust the permissions to allow read and write access:
chmod 755 /var/www
chmod 755 /var/www/sftpuser_uploads
These commands set the permissions so that sftpuser can upload and manage files inside sftpuser_uploads.
Step 4: Restart the SSH Service
After updating the configuration and permissions, restart the SSH service:
systemctl restart ssh
Step 5: Test SFTP Access
Now that the configuration is in place, you can test SFTP access.
1. Use an SFTP client like FileZilla or the command line to connect:
sftp sftpuser@your_server_ip
2. Navigate to /var/www/sftpuser_uploads and upload files. The user should only be able to modify files within this directory.
Conclusion
In this guide, we created an SFTP user and restricted their access to the /var/www directory. We also set permissions to allow them to manage files within a specific subdirectory. This setup ensures the security of the web files while allowing the SFTP user to perform their tasks. You can now easily grant SFTP user access to the /var/www directory on dedicated server hosting from Atlantic.Net!