Referencing both the EE docs article on creating chroot SFTP environments and the resource on bindfs, I’ve created two simple shell scripts to manually create chroot SFTP users in a few seconds.
This can help some of you get going quickly.
- Chroot SFtp with EasyEngine: https://easyengine.io/docs/chroot-sftp-easyengine/
- bindfs.org: http://bindfs.org/
- Solving the Web File Permissions Problem Once and for All: http://blog.netgusto.com/solving-web-file-permissions-problem-once-and-for-all/
You will add new users to a
hostingusers group instead of
www-data group. You can also use these scripts instead of enabling login and password authentication for the
What you will achieve:
An SFTP-enabled user that can only browse the site(s) mounted in the user’s home directory (and only
/htdocs directory). You can run the second script multiple times to mount additional sites to the same user’s home directory.
WordPress default permissions will be set but you can adjust this in the
- Directory permissions: 755
- File permissions: 644
The user can:
- View, create, delete, download/upload, and modify all site files and directories in
htdocs/via SFTP connection.
- Newly created and uploaded files/directories will automatically default to
user:userownership, all thanks to bindfs.
These scripts have only been tested on a standard Ubuntu 14.04 server setup running EasyEngine. In my case:
- Root login disabled
- Password authentication disabled
- Server managed with keypair authenticated sudo user
You must install bindfs
sudo apt-get install -y bindfs
Server Preparation script: sftp-new-server.sh
This script prepares the server by creating a new group (“hostingusers”) and modifying the
This script must only be executed once per server. It will also enable password authentication for all users added to the
hostingusers group as part of a match group rule.
Create New User script: sftp-new-user.sh
Before executing the
sftp-new-user.sh script, and for each new user you want to create, you must open the script and do a search-replace on all instances of
ee-user (replace with new username) and
ee-site.com (replace with the site you’re linking your new user to). You can easily do this using Nano, Vim, etc.
And if you haven’t already, then create your site using
ee site create example.com command. Now you’re ready to run the script.
- creates the new user with a sample password
- adds the user to “hostingusers” group
- creates SFTP home directory
- sets initial ownerships and permissions based on EE article
- adds the bindfs conditions in
/etc/fstaband mounts the webroot
Feel free to go through the scripts and adjust them to your liking.
Provided you can execute the scripts, they should work out of the box for default Ubuntu 14.04 (and probably 16.04) setups. However, I highly recommend you test this first on a sandbox server or take a snapshot/backup that you can roll back to.
sudo apt-get install -y bindfs cd /path/to/scripts sudo ./sftp-new-server.sh sudo ./sftp-new-user.sh sudo passwd <new-ee-user>
Now try connecting via SFTP (e.g. FileZilla).
Host: <server-ip-address> Port: 22 User: <new-ee-user> Password: <your-password>