How to Grant an SFTP User Access to the /var/www Directory

1. Overview

In this tutorial, we’ll look at how to grant an SFTP user access to the /var/www directory. First, we’ll briefly examine how SSH and SFTP correlate.

Next, we’ll create an SFTP user, modify the sshd_config file, and add the necessary permissions to grant our user access to the /var/www directory. Lastly, we’ll use an sftp client to test the kind of access the user we created has.

2. SSH and SFTP

SSH and SFTP are essential components of remote access and file transfer. While SSH provides a secure and encrypted channel for accessing remote systems and executing commands, SFTP extends this functionality to facilitate secure file transfers between systems. Together, they provide a robust and secure solution for maintaining data integrity across networks/devices.

By default, SSH isn’t installed on most Linux distributions. We can install it through:

$ sudo apt install ssh
$ sudo systemctl start sshd

The SFTP client is available as a standard feature on all servers with SSH access enabled and doesn’t require any additional configuration. SFTP leverages the capabilities of the SSH subsystem to provide a secure, encrypted, and reliable method for transferring files between client and server systems over a network

Despite being secure, the major disadvantage of SFTP is that in a standard configuration, the SSH server grants file transfer access and terminal shell access to all users with an account on the system. This poses a great security risk to the system. To mitigate this, we need to restrict SFTP to specific features depending on user type.

3. Granting a User Access to the /var/www Directory

As we begin, we’ll need to create a user, set permissions, and configure the SFTP server accordingly. Additionally, we need to modify the sshd configuration file located at /etc/ssh/sshd_config. This user lacks sudo privileges to the web server document root though the user can perform standard actions.

3.1. Creating a sftpuser and Modifying the sshd_config File

To start our configuration, let’s create a user named sftpuser:

$ sudo adduser sftpuser

Secondly, let’s change ownership of the /var/www directory to the sftpuser:

$ sudo chown -R sftpuser /var/www

Next, we’ll adjust permissions for the directory to allow the sftpuser to read, write, and execute:

$ sudo chmod -R 755 /var/www

Following this, let’s restrict the sftpuser to the /var/www directory as we also disable the user’s access to SSH. The user will log in through SFTP. We’ll achieve this by modifying the sshd_config file:

$ sudo vi /etc/ssh/sshd_config

Let’s locate the Subsystem sftp line and ensure it looks like:

Subsystem sftp internal-sftp

This line configures the SSH server to use the internal SFTP subsystem for handling SFTP connections. Let’s scroll to the end of the file and add a new section:

Match User sftpuser
	ForceCommand internal-sftp
	ChrootDirectory /var/www/
	PasswordAuthentication yes
	X11Forwarding no
	AllowTcpForwarding no

Above, we’ve set the ForceCommand to internal-sftp. This forces the user to use the internal SFTP service. The ChrootDirectory option specifies the directory in which the user will log in.

Additionally, the following options improve security:

• PasswordAuthentication is set to yes for SSH connections to be authenticated using passwords.
• AllowTcpForwarding is set to no. This option controls whether TCP forwarding is permitted.
• When we’ve set X11Forwarding to no, it prevents graphical applications running on the SSH server from being displayed on the client machine.

We can repeat this section if we intend to restrict more users. We’ll only have to specify the different usernames.

Also, we can set up SSH key access for increased security, but we’ll have to set PasswordAuthentication to no. Finally, let’s save the file and verify our configurations are right:

$ sudo sshd -t

If we receive no error, we need to reload the SSH service to load the changes:

$ sudo systemctl restart sshd

To ensure everything is working correctly, let’s test the SFTP access for our sftpuser. We can use an SFTP client such as FileZilla, SCP, or command-line SFTP tools:

$ sftp [email protected]
[email protected]'s password:
Connected to 1.1.1.10.
sftp>

Otherwise, if we experience a disconnect error:

$ ssh [email protected]
[email protected]'s password:
client_loop: send disconnect: Connection reset by peer

Then, let’s re-edit the sshd_config file and change Match User to:

Match User sftp

After making these changes, let’s restart the sshd service and test access again using sftp.

Once connected, let’s try listing the contents of the /var/www directory:

$ ls /var/www

We should see the contents of the /var/www directory if the access is successful.

3.2. Additional Settings

Additionally, we need to add the sftpuser to the www-data group. This will enable the user to perform read, write, and execute without needing sudo. The web server uses www-data, a system user account used by web servers for accessing and managing files related to web content.

First, let’s add the user to the www-data group:

$ sudo usermod -aG www-data sftpuser
$ groups sftpuser
sftpuser : sftpuser www-data users sftp

This command adds the sftpuser to the group www-data without removing them from any other groups they may already be a member of.

Now, let’s change the sftpuser’s default home directory to the document root:

$ sudo usermod -d /var/www sftpuser

Additionally, let’s assign our sftpuser a restricted shell:

$ sudo chsh -s /bin/rbash sftpuser

If we make /var/www writeable by its group and add the user to the group, the sftpuser will not have to use sudo:

$ sudo adduser sftpuser www-data
$ sudo chown -R www-data:www-data /var/www
$ sudo chmod -R g+rwX /var/www

After making these changes, the user can edit /var/www/ files without permission issues.

The first line adds the user to the www-data group, the second line clears up any files with messed up ownership, and the third makes it so that all users of the www-data group can read and write all files in /var/www.

For the group membership to take effect, we need to log out and log back in.

4. Conclusion

In this article, we’ve learned how to install and configure SSH for using the SFTP server code. After that, we created a new user, restricted them to the /var/www directory, and disabled their SSH access. Further, we’ve added the user to the webserver document root to allow the user to read, write, and execute files in the document root.

Additonally, we assigned a restricted shell to our sftpuser, which prevents the user from moving to any other directory apart from its default home directory. Lastly, we’ve added the sftpuser to the www-data group, enabling the user to perform actions in the /var/www directory without root privileges.