Locking down SFTP user without SSH on CentOS 5

”’ Problem Context ”’
We have multiple sites hosted on a single server and needed to give individual FTP accounts to each person, but can not give them permission to see the other sites on the server or any of the configuration files.

”’ Solution ”’
For security reasons, FTP is disallowed on our server forcing everyone to use SFTP. As such, we were not able to simply disallow SSH as it is required for SFTP to function properly. After messing around with Linux file permissions for a while, we figured out a few modifications that need to be made to block our new users from SSH while maintaining their ability to SFTP to a specific directory and be able to modify all files under that directory.

The first step is to create a group for the new user to apply to their specific folder so we can set permissions on their files at the group level. Then we create a new user account and add them to the new group. For this post we will use the user NewUser and the group NewGroup.

# /usr/sbin/groupadd NewGroup
# /usr/sbin/useradd -g NewGroup NewUser
# /usr/bin/passwd NewUser

Now lets setup the directory the new user will drop into, and block their ability to do anything useful with SSH. Inside of /etc/passwd, find the line that looks something like this:

# vim /etc/passwd
NewUser:x:501:502::/home/NewUser/:/bin/bash

Now lets say the root directory for the site we want to the user to modify is /var/www/website.com/ so we change the home directory in /etc/passwd to point to this directory. When the user SFTPs into the website.com, they will be dropped in this directory. Additionally, we want to set their shell to the location of sftp-server, which can be found by running #which sftp-server

NewUser:x:501:502::/var/www/website.com/:/usr/libexec/openssh/sftp-server

Now we can change the group permissions on /var/www/website.com/ with

# cd /var/www/website.com/
# chgrp -R NewGroup *

This will let you control permissions for NewUser at the group level. The last thing to do is disallow the user read on the directory above website.com/ which will stop them from going up the directory tree, effectively locking them into website.com/

# cd /var
# chmod 771 www

At this point, NewUser will be able to SFTP to website.com which will drop them into /var/www/website.com/ but they will be unable to move up a directory and SSH will respond with a shell that isn’t interactive.

This entry was posted in Linux, Media Temple and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *