I'm on Debian 11, using openssh-server 8.4, trying to build an sftp server for HTML uploads.
The upload destination directory is "/var/www/html" and the username is "sftp-user".
Also, the server domain is assumed here to be example.com.
I changed the "Subsystem" line in the "/etc/ssh/sshd_config" file to
Subsystem sftp internal-sftp
, and added the following line to change port 22 to sftp only.
Match LocalPort 22
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
After that line, I added the following line to specify the upload destination directory:
Match user sftp-user
ChrootDirectory /var/www/html
PermitTunnel no
AllowAgentForwarding no
ForceCommand internal-sftp
I restarted sshd with systemctl here.
The owner user of the /var/www/html directory should be www-data, so I created a group called "uploders" and specified the group to have ownership of that directory using the following command. And added the user "sftp-user" to the "uploaders" group.
groupadd uploaders
chown -R /var/www/html www-data:uploaders
gpasswd -a sftp-user uploaders
Finally, execute the following command to specify the mode of "/var/www/html" so that the group can also read and write.
chmod -R 0775 /var/www/html
And try to access the server with sftp command:
sftp -P 22 [email protected]
However, the following message is output and the connection is closed.
Connection to example.com closed by remote host.
Connection closed.
Connection closed
However, if I change the owner of "/var/www/html/" to root, I can access it without any problem.
As mentioned earlier, the directory must be owned by www-data and cannot be changed. Is there a way to enable sftp access even when the directory owner is not root?
sshd(8)
checks that all components of the pathname are root-owned directories which are not writable by any other user or group."