0

I have an ec2 instance running ubuntu 20.04. I need to set up multiple sftp users with the following requirements:

Each can log in directly to their own directory. They should not be able to see, or know about, the other users or their directories. They should not be able to browse outside of their directory, but they can upload or delete files there. From my php code, I need to be able to read and delete files from inside each of the directories. I've done a lot of searching and trial and error. I've been able to create subfolders in /home for each user (ie /home/user1, /home/user2, etc). But when I sftp in as user1, I'm able to browse outside my folder and see user2, though I do not have access into the user2 directory. Also, my php code is not able to read the files.

I welcome any ideas and help. Thanks in advance!

In case it helps, the reason they should not be able to browse outside of their folders is because each is a customer and they should not be able to see who our other customers are.

Improve this question

1 Answer 1

Reset to default
0

They should not be able to see, or know about, the other users or their directories.

Use the "chroot" configuration in sshd to enforce this for SFTP. See the "sshd_config" manual page.

But also use PHP's open_basedir to ensure they can't read things like /etc/passwd or /run/utmp through PHP code, where SFTP restrictions are not in effect.

Perhaps also remove world 'read' (but not 'execute'!) permissions from /home and from the Apache vhost configuration directory.

From my php code, I need to be able to read and delete files from inside each of the directories.

Don't try to grant write privileges to the shared "www-data" UID that your PHP code currently runs as. (This is possible, but a high risk: as soon as one website is hacked, the attacker could immediately gain access to all websites on the server, and you don't want that.)

Instead, configure the server so that each customer's PHP code should run under a separate system account. There are several ways to achieve such separation, e.g. creating a new PHP-FPM pool for every customer (probably the preferred solution for performance), or using Apache's mpm_itk (easier to set up but has its own caveats).

Improve this answer
2
  • Thanks @user1686, but I've already tried the sshd_config and chroot option. Even though I have /home owned by root (which is what all the instructions said to do), users I set up can still browse above their directory and see the other directories in /home. This is what I have in ssh_config (I've changed the actual usernames to user1, etc): Port 22 Match User user1,user2,user3,user4,user5,user6,user7,user8,user9,user10,user11 ForceCommand internal-sftp PasswordAuthentication yes ChrootDirectory /home PermitTunnel no AllowAgentForwarding no AllowTcpForwarding no X11Forwarding no
    – Jeff T
    Commented Nov 26, 2021 at 20:59
  • If you want to limit users to their home only, you have to chroot them to their home, i.e. %h I think, not to /home overall. They will always be allowed to reach the top of the chroot – sshd doesn't have any specific "+1 level" automagic like that.
    – grawity_u1686
    Commented Nov 26, 2021 at 21:46

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .