Limiting SFTP access by SFTP users

On the FreeBSD servers, there was a straightforward way to limit permissions for users on a virtual server – on Textdrive we called it “jailing”. Due to particularities with the way Solaris handles directory listing, the old method doesn’t work on Solaris shared, and if you give SFTP permissions to a user on a virtual server, they have pretty much free reign to browse around the directories of your account. They can’t change any files, but they can ls to their hearts’ content.

This is one method of providing SFTP access to a user so they can update a website freely, while limiting their read access to the rest of your shared server.

I use this as a method of preventing an implicitly trusted user (a family member) from seeing everything on my server. Because of the configuration involved, this is not a completely secure solution (see drawbacks below).

We’ll call your user Jill, the domain jilldomain.com, and the new FTP user webuser.

1. Create a new user on the virtual server. It’s better to create a separate account from the one Jill uses for email, because if you as the server admin need permissions to the web root (eg, to fix the web page), you’ll have to know the password as well. Jill doesn’t want you to know her email password. Let’s call this new user webuser@jilldomain.com. Give the user SFTP permissions (Other user permissions → email and sftp).
2. SFTP in as webuser-jilldomain – it should put you in ../domains/jilldomain.com/homes/webuser/. add directories for web/public.
3. With Virtualmin, under the jilldomain.com virtual server, select Services / Configure Website / Document Options. The first option is Document root directory – set that to the directory you just created (/users/home/yourserver/domains/jilldomain.com/homes/webuser/web/public).
4. Submit that change and click the ‘apply changes’ link that appears at the top right. This will restart apache with your new configuration.

Now the web page for this domain will be served from that directory. Careful here, if you point apache to a non-existent directory, chaos will ensue.

Ok, right now webuser can fire up SFTP and browse directories all around your server, even on other virtual domains – though she doesn’t have write permissions outside of her home directory.

ssh to your server. you’re going to change some directory permissions:

% chmod go-r /users/home/yourserver
% chmod go-r /users/home/yourserver/*
% chmod go-r /users/home/yourserver/domains
% chmod go-r /users/home/yourserver/domains/*

Now webuser can’t go browsing around directories. This also means that you need to set the sftp directory manually for webuser. In most FTP programs there’s a setting like “initial path” – set that to something like /users/home/yourserver/domains/jilldomain.com/homes/webuser/web. Otherwise, SFTP seems to balk (apparently trying to ls first before being re-directed to the SFTP user’s home).

1. Any directory that has group read permissions is potentially accessible directly, even if webuser can’t browse to the path. so by guessing a path through FTP, webuser could view the directory listing on that path. This makes this solution more of a picket fence than a wall, because short of remembering to chmod go-r new virtual servers (and home directories, etc etc) as you make them... there will be holes. (peepholes?)
2. The new webroot files are owned by webuser. This means you as the administrator have to log in through SFTP to change the files – your ssh user doesn’t have permissions. This makes things like svn updates to the webroot problematic. You could of course grant all permissions (g+w) with webuser through SFTP, but that’s another can of worms in terms of access by other FTP users.