Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place! |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
08-12-2017, 11:30 AM
|
#1
|
LQ Newbie
Registered: Jan 2011
Posts: 9
Rep:
|
bad ownership or modes for chroot directory "/var/www"
I am using:
- Debian
- nginx
- php-fpm
Getting following error in auth.log when trying to connect to site using SFTP.
Quote:
fatal: bad ownership or modes for chroot directory "/var/www"
|
ls -ld of this directory shows this:
Quote:
drwxrwxr-x 4 root sftponly 4096 Aug 12 04:05 /var/www/
|
As you can see I have given full permission to group sftponly. The user through which I am connecting to SFTP is mysftpuser which is part of sftponly group.
If I do following then I can connect but cannot rename, edit, delete, overwrite any file or folder inside /var/www/
Here's my sshd_config setting
Quote:
Match group sftponly
ChrootDirectory /var/www
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
|
So in short sudo chmod 755 /var/www/ allows me to connect but only in READ only mode. sudo chmod 775 /var/www/ doesn't even allow me to connect.
How to fix this issue?
|
|
|
08-12-2017, 12:14 PM
|
#2
|
LQ Guru
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 7,756
|
Quote:
Originally Posted by aliweb
So in short sudo chmod 755 /var/www/ allows me to connect but only in READ only mode. sudo chmod 775 /var/www/ doesn't even allow me to connect.
|
That is correct. The manual page tells about that, scroll down to "ChrootDirectory" there:
One option is to populate the /var/www/ directory as root with the files and subdirectories needed and chown those to your user or group. That will allow the files to be edited and the subdirectories worked in yet still retain the strict perminssions required by the SSH server.
However, instead I would recommend putting a subdirectory under /var/www/ and allowing your user to write to that. Leave /var/www/ for root.
Code:
sudo chown root:root /var/www/
sudo chmod u=rwx,g=rx,o=rx /var/www/
sudo mkdir /var/www/site1/
sudo chgrp sftponly /var/www/site1
sudo chmod u=rwx,g=rwxs,o=rx /var/www/site1/
Then in your SSH server's configuration file:
Code:
Match group sftponly
ChrootDirectory /var/www/
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp -d site1
If you're going to have more than one virtual host on your web server, then I'd do it a little differently though.
|
|
|
08-12-2017, 01:08 PM
|
#3
|
LQ Newbie
Registered: Jan 2011
Posts: 9
Original Poster
Rep:
|
Quote:
Originally Posted by Turbocapitalist
That is correct. The manual page tells about that, scroll down to "ChrootDirectory" there:
One option is to populate the /var/www/ directory as root with the files and subdirectories needed and chown those to your user or group. That will allow the files to be edited and the subdirectories worked in yet still retain the strict perminssions required by the SSH server.
However, instead I would recommend putting a subdirectory under /var/www/ and allowing your user to write to that. Leave /var/www/ for root.
Code:
sudo chown root:root /var/www/
sudo chmod u=rwx,g=rx,o=rx /var/www/
sudo mkdir /var/www/site1/
sudo chgrp sftponly /var/www/site1
sudo chmod u=rwx,g=rwxs,o=rx /var/www/site1/
Then in your SSH server's configuration file:
Code:
Match group sftponly
ChrootDirectory /var/www/
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp -d site1
If you're going to have more than one virtual host on your web server, then I'd do it a little differently though.
|
Thanks for the quick reply. Yes I do already have a site folder inside www and I intend to host multiple sites. And since this is my own VPS hence I will only use one FTP user to connect to all sites instead of creating one for each site. I guess in this case I will use ForceCommand internal-sftp instead of ForceCommand internal-sftp -d site1 correct?
|
|
|
08-12-2017, 01:29 PM
|
#4
|
LQ Guru
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 7,756
|
If you have only one SFTP user for all sites then that would work. The -d option for the SFTP server subsystem just helps save time by putting the user into the right directory when they log in.
I would encourage, however, to have different logins for the different people at least.
Also, since you are using SFTP to connect, the people working on the site can use various SFTP clients such as Nautilus, Dolphin, or SSHFS. Nautilus can open the remote site and treat it as a local folder, for example.
|
|
|
08-12-2017, 05:51 PM
|
#5
|
LQ Guru
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,524
|
You could move the chroot'ed directory out of the root path, and then use URL mapping to point to it.
|
|
|
08-13-2017, 01:23 AM
|
#6
|
LQ Guru
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 7,756
|
Quote:
Originally Posted by AwesomeMachine
You could move the chroot'ed directory out of the root path, and then use URL mapping to point to it.
|
I was expecting that they'd just change the Document Root for the virtual host. The Document Root can be any directory.
|
|
|
08-13-2017, 09:46 AM
|
#7
|
LQ Newbie
Registered: Jan 2011
Posts: 9
Original Poster
Rep:
|
Quote:
Originally Posted by Turbocapitalist
That is correct. The manual page tells about that, scroll down to "ChrootDirectory" there:
One option is to populate the /var/www/ directory as root with the files and subdirectories needed and chown those to your user or group. That will allow the files to be edited and the subdirectories worked in yet still retain the strict perminssions required by the SSH server.
However, instead I would recommend putting a subdirectory under /var/www/ and allowing your user to write to that. Leave /var/www/ for root.
Code:
sudo chown root:root /var/www/
sudo chmod u=rwx,g=rx,o=rx /var/www/
sudo mkdir /var/www/site1/
sudo chgrp sftponly /var/www/site1
sudo chmod u=rwx,g=rwxs,o=rx /var/www/site1/
Then in your SSH server's configuration file:
Code:
Match group sftponly
ChrootDirectory /var/www/
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp -d site1
If you're going to have more than one virtual host on your web server, then I'd do it a little differently though.
|
I did this and it fixed the problem!
|
|
|
All times are GMT -5. The time now is 08:33 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|