1

I would like to restrict a user (user sftp-user, group webgroup) to sftp access for the /var/www/html directory in CentOS 8. They should have read and write permissions so they can make changes to website files.

I am able to successfully jail the user to their homedir with ChrootDirectory %h but I can't quite get it to work when I change it to ChrootDirectory /var/www/html in /etc/ssh/sshd_config. The user gets this error when trying to sftp:

fatal: bad ownership or modes for chroot directory "/var/www/html"

What I did is try to use setfacl to give the group webgroup rw- permissions for /var/www/html (though not recursively, but everything inside that folder is owner by sftp-user:group).

How do I get it to work? I've seen some solutions suggest using mount, I'm not sure if that's the better solution.

Also, the html folder is owner by root:root, and everything inside it is owned by sftp-user:webgroup as I mentioned. Is this the correct ownership?

for the sake of completeness, here's the output of getfactl /var/www/html:

# file: html/
# owner: root
# group: root
user::rwx
group::r-x
group:webgroup:rw-
mask::rwx
other::r-x

Thank you.

Improve this question
2
  • As I understand man 5 sshd_config, the chroot must be owned by root and not be writable by anybody else. I don't know if sshd checks ACLs there (apparently so?), but I wonder how your ChrootDirectory %h ever worked then. Is setting sftp-user's home to /var/www/html an option at all for you? Commented Jul 14, 2020 at 15:40
  • I just changed the user's home as you suggested but no dice. I get the same error with the new homedir. Commented Jul 14, 2020 at 16:47

1 Answer 1

Reset to default
0

I got this figured out. It looks like I was conflating different factors. Trying to work with sftp and ACL at the same time caused me to misdiagnose the problem. All credit to Ulrich Schwarz for essentially solving the problem.

To make it work, I had to make sure every directory in the path /var/www/html was owned by root as chroot jail apparently requires.

The other problem was that the permissions on html were changed to 775 at one point while I was trying to figure this out. I changed them to 755 and I was able to sftp into ChrootDirectory with no problem.

On the ACL front, the files in /var/www/html are owned by apache:apache, while the user is sftp-user in group webgroup. I simply gave the user rwX permissions:

setfacl -Rm u:sftp-user:rwX html

-m is modify, -R is recursive.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.