Setting Up Chroot SFTP Users for EasyEngine Sites (bindfs)


#1

Referencing both the EE docs article on creating chroot SFTP environments and the resource on bindfs, I’ve created two simple shell scripts to manually create chroot SFTP users in a few seconds.

  1. sftp-new-server.sh
  2. sftp-new-user.sh

This can help some of you get going quickly.

Primary sources:

You will add new users to a hostingusers group instead of www-data group. You can also use these scripts instead of enabling login and password authentication for the www-data user.

What you will achieve:

An SFTP-enabled user that can only browse the site(s) mounted in the user’s home directory (and only /htdocs directory). You can run the second script multiple times to mount additional sites to the same user’s home directory.

WordPress default permissions will be set but you can adjust this in the sftp-new-user.sh script.

  • Directory permissions: 755
  • File permissions: 644

The user can:

  1. View, create, delete, download/upload, and modify all site files and directories in htdocs/ via SFTP connection.
  2. Newly created and uploaded files/directories will automatically default to www-data:www-data ownership in /var/www/ee-site.com, while /home/user/ee-site.com will have user:user ownership, all thanks to bindfs.

Requirements:

These scripts have only been tested on a standard Ubuntu 14.04 server setup running EasyEngine. In my case:

  • Root login disabled
  • Password authentication disabled
  • Server managed with keypair authenticated sudo user

You must install bindfs sudo apt-get install -y bindfs

Server Preparation script: sftp-new-server.sh

This script prepares the server by creating a new group (“hostingusers”) and modifying the sshd_config file.

This script must only be executed once per server. It will also enable password authentication for all users added to the hostingusers group as part of a match group rule.

Create New User script: sftp-new-user.sh

Before executing the sftp-new-user.sh script, and for each new user you want to create, you must open the script and do a search-replace on all instances of ee-user (replace with new username) and ee-site.com (replace with the site you’re linking your new user to). You can easily do this using Nano, Vim, etc.

And if you haven’t already, then create your site using ee site create example.com command. Now you’re ready to run the script.

This script:

  1. creates the new user with a sample password
  2. adds the user to “hostingusers” group
  3. creates SFTP home directory
  4. sets initial ownerships and permissions based on EE article
  5. adds the bindfs conditions in /etc/fstab and mounts the webroot

Feel free to go through the scripts and adjust them to your liking.

Provided you can execute the scripts, they should work out of the box for default Ubuntu 14.04 (and probably 16.04) setups. However, I highly recommend you test this first on a sandbox server or take a snapshot/backup that you can roll back to.

Directions:

sudo apt-get install -y bindfs    
cd /path/to/scripts
sudo ./sftp-new-server.sh
sudo ./sftp-new-user.sh
sudo passwd <new-ee-user>

Now try connecting via SFTP (e.g. FileZilla).

Host: <server-ip-address>
Port: 22
User: <new-ee-user>
Password: <your-password>

How to create SFTP user?
#2

UPDATE: Tested on Ubuntu 16.04, works perfectly.


#3

Thanks for the script. But I got a problem: I use an Azure VM for EE. Also I attach a managed disk to the VM on which I have all my WP data following this guide: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/classic/attach-disk I use sudo mount /dev/sdc1 /var/www to mount the disk to my VM. In my fstab I write UUID=33333333-3b3b-3c3c-3d3d-3e3e3e3e3e3e /var/www ext4 defaults,nofail 1 2 (With the real UUID of course.) Everything works up to this point. I can restart the VM, write in Wordpress, upload in WP, etc.

If I use your script now, the fstab obviously gets messed up, as the VM doesn’t restart anymore. If I don’t attach a disk and run the script, everything works as expected. Also if I don’t restart it works even with the attached disk. So in my eyes it’s the fstab.

Maybe someone who has more knowledge as I can help me with this :wink: Thanks


#4

Ok I finally found the problem: In the user-script you use this line 46: bindfs#/var/www/ee-site.com/htdocs /home/ee-user/ee-site.com/htdocs fuse force-user=ee-user,force-group=ee-user,create-for-user=www-data,create-for-group=www-data,create-with-perms=gd=rx:gf=r:ud=rwx:uf=rw:od=rx:of=r,chgrp-ignore,chown-ignore,chmod-ignore 0 0

The syntax is wrong as explained here. Instead of bindfs# at the beginning of the line it wants “fuse.bindfs”. So the correct line 46 would be: /var/www/ee-site.com/htdocs /home/ee-user/ee-site.com/htdocs fuse.bindfs force-user=ee-user,force-group=ee-user,create-for-user=www-data,create-for-group=www-data,create-with-perms=gd=rx:gf=r:ud=rwx:uf=rw:od=rx:of=r,chgrp-ignore,chown-ignore,chmod-ignore 0 0

with this setting it works like a charm (at least in my situation).


#5

Does that allow chroot user to ssh in home directory?

i need to give sftp user ssh access restrict to his home directory only.

Thanks


#6