Referencing both the EE docs article on creating chroot SFTP environments and the resource on bindfs, I’ve created two simple shell scripts to manually create chroot SFTP users in a few seconds.
sftp-new-server.sh
sftp-new-user.sh
This can help some of you get going quickly.
Primary sources:
- Chroot SFtp with EasyEngine: https://easyengine.io/docs/chroot-sftp-easyengine/
- bindfs.org: http://bindfs.org/
- Solving the Web File Permissions Problem Once and for All: http://blog.netgusto.com/solving-web-file-permissions-problem-once-and-for-all/
You will add new users to a hostingusers
group instead of www-data
group. You can also use these scripts instead of enabling login and password authentication for the www-data
user.
What you will achieve:
An SFTP-enabled user that can only browse the site(s) mounted in the user’s home directory (and only /htdocs
directory). You can run the second script multiple times to mount additional sites to the same user’s home directory.
WordPress default permissions will be set but you can adjust this in the sftp-new-user.sh
script.
- Directory permissions: 755
- File permissions: 644
The user can:
- View, create, delete, download/upload, and modify all site files and directories in
htdocs/
via SFTP connection. - Newly created and uploaded files/directories will automatically default to
www-data:www-data
ownership in/var/www/ee-site.com
, while/home/user/ee-site.com
will haveuser:user
ownership, all thanks to bindfs.
Requirements:
These scripts have only been tested on a standard Ubuntu 14.04 server setup running EasyEngine. In my case:
- Root login disabled
- Password authentication disabled
- Server managed with keypair authenticated sudo user
You must install bindfs sudo apt-get install -y bindfs
Server Preparation script: sftp-new-server.sh
This script prepares the server by creating a new group (“hostingusers”) and modifying the sshd_config
file.
This script must only be executed once per server. It will also enable password authentication for all users added to the hostingusers
group as part of a match group rule.
Create New User script: sftp-new-user.sh
Before executing the sftp-new-user.sh
script, and for each new user you want to create, you must open the script and do a search-replace on all instances of ee-user
(replace with new username) and ee-site.com
(replace with the site you’re linking your new user to). You can easily do this using Nano, Vim, etc.
And if you haven’t already, then create your site using ee site create example.com
command. Now you’re ready to run the script.
This script:
- creates the new user with a sample password
- adds the user to “hostingusers” group
- creates SFTP home directory
- sets initial ownerships and permissions based on EE article
- adds the bindfs conditions in
/etc/fstab
and mounts the webroot
Feel free to go through the scripts and adjust them to your liking.
Provided you can execute the scripts, they should work out of the box for default Ubuntu 14.04 (and probably 16.04) setups. However, I highly recommend you test this first on a sandbox server or take a snapshot/backup that you can roll back to.
Directions:
sudo apt-get install -y bindfs
cd /path/to/scripts
sudo ./sftp-new-server.sh
sudo ./sftp-new-user.sh
sudo passwd <new-ee-user>
Now try connecting via SFTP (e.g. FileZilla).
Host: <server-ip-address>
Port: 22
User: <new-ee-user>
Password: <your-password>