Getting SFTP to work for a limited user in a Linode

7 Oct

First of all, if I wanted to have my own website, it wouldn’t make much sense for me to host my own server too. I’ve been living with cPanel on shared hosting and it does a pretty good job of automating various tasks such as creating subdomains, databases and such.

No, the reason I wanted to host my own server, besides having shell access which was crucial for source control as it was one of the first things I set up on my new server – was to host multiple sites. Not subdomains, but whole domains. In particular, deanishes.com, a site where it is planned that you can observe the inspired progress of Dean’s tasks. Now while it is possible for him to manage his site through the wordpress admin panel, in all fairness that is insufficient for editing code. You can edit the theme files through wordpress, and I’ve even thrown on a pretty code editor plugin but nothing beats the power of IDE software, with code-completion, auto-formatting and syntax highlighting.

Therefore, I needed a way to provide Dean with limited access to the server – just to access his wordpress installation files. Which brings me to the what this post is about – allowing SFTP access to the server but in a limited capability.

First of all, my original idea was a FTP server daemon which would handle a separate set of users and logins. My first step was to head to the Linode library, which is pretty good except for not fully documented parts. As it is, it turns out that SFTP is preferred over FTP because of security issues. I’m all for best practices and am pretty flexible, so I did what was right – I looked into SFTP access instead.

As per Linode’s reccomendations, I had shut down all ports except for allowed ones such as SVN, SSH and HTTP. So my next step was to open a port for FTP/SFTP access. As it turns out, because SFTP uses the same port as SSH (the two are the same, really), I didn’t need to configure my iptables firewall rules – though I did spend a great deal of time googling “iptables allow sftp” when my previous attempts didn’t work, but that was eventually chalked to a different problem (file permissions).

Now, SFTP uses unix accounts to connect, much like SSH. I was initially apprehensive of this, but then I thought about the ramifications – having ten users in my linux installation? Why not? I’m not going to be a general webhost, and one user per site seemed pretty reasonable to me. But the crux of the matter was that I needed to customise this user – it could not be allowed to access anything other than the directory I’ve specified for it.

Which led me to the concept of chroot SFTP, which basically is a SFTP jail that starts the user in a predefined directory without access to other things. All that is needed is that the directory be owned by root, but any subdirectories can be owned by the user. At first I was trying the Linode solution, but that did not pan out. For some reason, the

ChrootDirectory

directive in the Linode library specified %h, but the one in the other article reccomended /<some directory/%u.

The former did not work out, so I resorted to following the other article’s example to the letter.

And what I’ve discovered is this -%h defaulted to the root directory / regardless of the home directory I specified in /etc/passwd, and instead started from / and attempted to browse to the home directory specified – but of course failed because it didn’t have the permissions to traverse directories.

So when I specified the ChrootDirectory to /<some directory>/%u, AND the home directory to be /, It worked fine and started in / of /<some directory>/%u.

So what I can take away from this is that /etc/passwd specifies the home directory RELATIVE to whatever root directory was provided, and the ChrootDirectory provides the root directory for the jail. Now that I’ve got it all working, it’s time to celebrate this with Dean!

-EDIT- It is important that /<some directory> be owned by root, because the shell requires access to login. Funny, huh? the shell requiring access.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: