bad ownership or modes for chroot directory "/var/www"
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
bad ownership or modes for chroot directory "/var/www"
I am using:
- Debian
- nginx
- php-fpm
Getting following error in auth.log when trying to connect to site using SFTP.
Quote:
fatal: bad ownership or modes for chroot directory "/var/www"
ls -ld of this directory shows this:
Quote:
drwxrwxr-x 4 root sftponly 4096 Aug 12 04:05 /var/www/
As you can see I have given full permission to group sftponly. The user through which I am connecting to SFTP is mysftpuser which is part of sftponly group.
If I do following then I can connect but cannot rename, edit, delete, overwrite any file or folder inside /var/www/
Quote:
sudo chmod 755 /var/www/
Here's my sshd_config setting
Quote:
Match group sftponly
ChrootDirectory /var/www
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
So in short sudo chmod 755 /var/www/ allows me to connect but only in READ only mode. sudo chmod 775 /var/www/ doesn't even allow me to connect.
So in short sudo chmod 755 /var/www/ allows me to connect but only in READ only mode. sudo chmod 775 /var/www/ doesn't even allow me to connect.
That is correct. The manual page tells about that, scroll down to "ChrootDirectory" there:
Code:
man sshd_config
One option is to populate the /var/www/ directory as root with the files and subdirectories needed and chown those to your user or group. That will allow the files to be edited and the subdirectories worked in yet still retain the strict perminssions required by the SSH server.
However, instead I would recommend putting a subdirectory under /var/www/ and allowing your user to write to that. Leave /var/www/ for root.
That is correct. The manual page tells about that, scroll down to "ChrootDirectory" there:
Code:
man sshd_config
One option is to populate the /var/www/ directory as root with the files and subdirectories needed and chown those to your user or group. That will allow the files to be edited and the subdirectories worked in yet still retain the strict perminssions required by the SSH server.
However, instead I would recommend putting a subdirectory under /var/www/ and allowing your user to write to that. Leave /var/www/ for root.
Match group sftponly
ChrootDirectory /var/www/
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp -d site1
If you're going to have more than one virtual host on your web server, then I'd do it a little differently though.
Thanks for the quick reply. Yes I do already have a site folder inside www and I intend to host multiple sites. And since this is my own VPS hence I will only use one FTP user to connect to all sites instead of creating one for each site. I guess in this case I will use ForceCommand internal-sftp instead of ForceCommand internal-sftp -d site1 correct?
If you have only one SFTP user for all sites then that would work. The -d option for the SFTP server subsystem just helps save time by putting the user into the right directory when they log in.
Code:
man sftp-server
I would encourage, however, to have different logins for the different people at least.
Also, since you are using SFTP to connect, the people working on the site can use various SFTP clients such as Nautilus, Dolphin, or SSHFS. Nautilus can open the remote site and treat it as a local folder, for example.
That is correct. The manual page tells about that, scroll down to "ChrootDirectory" there:
Code:
man sshd_config
One option is to populate the /var/www/ directory as root with the files and subdirectories needed and chown those to your user or group. That will allow the files to be edited and the subdirectories worked in yet still retain the strict perminssions required by the SSH server.
However, instead I would recommend putting a subdirectory under /var/www/ and allowing your user to write to that. Leave /var/www/ for root.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.