LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-12-2017, 11:30 AM   #1
aliweb
LQ Newbie
 
Registered: Jan 2011
Posts: 9

Rep: Reputation: 0
bad ownership or modes for chroot directory "/var/www"


I am using:

- Debian
- nginx
- php-fpm

Getting following error in auth.log when trying to connect to site using SFTP.

Quote:
fatal: bad ownership or modes for chroot directory "/var/www"
ls -ld of this directory shows this:

Quote:
drwxrwxr-x 4 root sftponly 4096 Aug 12 04:05 /var/www/
As you can see I have given full permission to group sftponly. The user through which I am connecting to SFTP is mysftpuser which is part of sftponly group.

If I do following then I can connect but cannot rename, edit, delete, overwrite any file or folder inside /var/www/

Quote:
sudo chmod 755 /var/www/
Here's my sshd_config setting

Quote:
Match group sftponly
ChrootDirectory /var/www
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
So in short sudo chmod 755 /var/www/ allows me to connect but only in READ only mode. sudo chmod 775 /var/www/ doesn't even allow me to connect.

How to fix this issue?
 
Old 08-12-2017, 12:14 PM   #2
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,613
Blog Entries: 3

Rep: Reputation: 2859Reputation: 2859Reputation: 2859Reputation: 2859Reputation: 2859Reputation: 2859Reputation: 2859Reputation: 2859Reputation: 2859Reputation: 2859Reputation: 2859
Quote:
Originally Posted by aliweb View Post
So in short sudo chmod 755 /var/www/ allows me to connect but only in READ only mode. sudo chmod 775 /var/www/ doesn't even allow me to connect.
That is correct. The manual page tells about that, scroll down to "ChrootDirectory" there:

Code:
man sshd_config
One option is to populate the /var/www/ directory as root with the files and subdirectories needed and chown those to your user or group. That will allow the files to be edited and the subdirectories worked in yet still retain the strict perminssions required by the SSH server.

However, instead I would recommend putting a subdirectory under /var/www/ and allowing your user to write to that. Leave /var/www/ for root.

Code:
sudo chown root:root /var/www/
sudo chmod u=rwx,g=rx,o=rx /var/www/

sudo mkdir /var/www/site1/
sudo chgrp sftponly /var/www/site1
sudo chmod u=rwx,g=rwxs,o=rx /var/www/site1/
Then in your SSH server's configuration file:

Code:
Match group sftponly
        ChrootDirectory /var/www/
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp -d site1
If you're going to have more than one virtual host on your web server, then I'd do it a little differently though.
 
Old 08-12-2017, 01:08 PM   #3
aliweb
LQ Newbie
 
Registered: Jan 2011
Posts: 9

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Turbocapitalist View Post
That is correct. The manual page tells about that, scroll down to "ChrootDirectory" there:

Code:
man sshd_config
One option is to populate the /var/www/ directory as root with the files and subdirectories needed and chown those to your user or group. That will allow the files to be edited and the subdirectories worked in yet still retain the strict perminssions required by the SSH server.

However, instead I would recommend putting a subdirectory under /var/www/ and allowing your user to write to that. Leave /var/www/ for root.

Code:
sudo chown root:root /var/www/
sudo chmod u=rwx,g=rx,o=rx /var/www/

sudo mkdir /var/www/site1/
sudo chgrp sftponly /var/www/site1
sudo chmod u=rwx,g=rwxs,o=rx /var/www/site1/
Then in your SSH server's configuration file:

Code:
Match group sftponly
        ChrootDirectory /var/www/
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp -d site1
If you're going to have more than one virtual host on your web server, then I'd do it a little differently though.
Thanks for the quick reply. Yes I do already have a site folder inside www and I intend to host multiple sites. And since this is my own VPS hence I will only use one FTP user to connect to all sites instead of creating one for each site. I guess in this case I will use ForceCommand internal-sftp instead of ForceCommand internal-sftp -d site1 correct?
 
Old 08-12-2017, 01:29 PM   #4
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,613
Blog Entries: 3

Rep: Reputation: 2859Reputation: 2859Reputation: 2859Reputation: 2859Reputation: 2859Reputation: 2859Reputation: 2859Reputation: 2859Reputation: 2859Reputation: 2859Reputation: 2859
If you have only one SFTP user for all sites then that would work. The -d option for the SFTP server subsystem just helps save time by putting the user into the right directory when they log in.

Code:
man sftp-server
I would encourage, however, to have different logins for the different people at least.

Also, since you are using SFTP to connect, the people working on the site can use various SFTP clients such as Nautilus, Dolphin, or SSHFS. Nautilus can open the remote site and treat it as a local folder, for example.
 
Old 08-12-2017, 05:51 PM   #5
AwesomeMachine
LQ Guru
 
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,513

Rep: Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009Reputation: 1009
You could move the chroot'ed directory out of the root path, and then use URL mapping to point to it.
 
Old 08-13-2017, 01:23 AM   #6
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,613
Blog Entries: 3

Rep: Reputation: 2859Reputation: 2859Reputation: 2859Reputation: 2859Reputation: 2859Reputation: 2859Reputation: 2859Reputation: 2859Reputation: 2859Reputation: 2859Reputation: 2859
Quote:
Originally Posted by AwesomeMachine View Post
You could move the chroot'ed directory out of the root path, and then use URL mapping to point to it.
I was expecting that they'd just change the Document Root for the virtual host. The Document Root can be any directory.
 
Old 08-13-2017, 09:46 AM   #7
aliweb
LQ Newbie
 
Registered: Jan 2011
Posts: 9

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Turbocapitalist View Post
That is correct. The manual page tells about that, scroll down to "ChrootDirectory" there:

Code:
man sshd_config
One option is to populate the /var/www/ directory as root with the files and subdirectories needed and chown those to your user or group. That will allow the files to be edited and the subdirectories worked in yet still retain the strict perminssions required by the SSH server.

However, instead I would recommend putting a subdirectory under /var/www/ and allowing your user to write to that. Leave /var/www/ for root.

Code:
sudo chown root:root /var/www/
sudo chmod u=rwx,g=rx,o=rx /var/www/

sudo mkdir /var/www/site1/
sudo chgrp sftponly /var/www/site1
sudo chmod u=rwx,g=rwxs,o=rx /var/www/site1/
Then in your SSH server's configuration file:

Code:
Match group sftponly
        ChrootDirectory /var/www/
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp -d site1
If you're going to have more than one virtual host on your web server, then I'd do it a little differently though.
I did this and it fixed the problem!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Bad ownership or modes for chroot directory component newbie14 Linux - Security 4 05-07-2017 12:21 PM
"bad passwd file" when logging into Chroot Jail ddenton Linux - Security 3 10-17-2011 01:52 AM
"bad interpreter : no such file or directory" when configure "flex" acer_peri Linux - Software 10 11-10-2010 01:19 AM
/var/www bizzare "ghost" or hosed permissions? hubbadubba Linux - General 1 10-02-2008 08:56 PM
using symlinks for /home/"username" and /var/www/html hamza11050 Linux - Networking 10 08-05-2005 10:36 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 03:08 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration