I was creating a small howto to register caged users that can upload and modify files in a folder inside / var / www I would like you to see if it is a valid and safe procedure, or if something escapes us, or if there are other alternatives to this.
We work on RedHat / Centos 7.
First we edit the file / etc / ssh / sshd_config and comment the following line:
Subsystem sftp /usr/libexec/openssh/sftp-server
Then we add the following lines:
Subsystem sftp internal-sftp
Match Group sftp_group
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory /home/%u
ForceCommand internal-sftp
And restart the SSH service
$ systemctl restart sshd
Once the SFTP service is prepared, we launch the following lines:
$ USUARIO=DEVUser
$ groupadd sftp_group
$ useradd $USUARIO
$ usermod -g sftp_group -s /bin/false $USUARIO
$ chmod 777 /home/$USUARIO
$ chown root:root /home/$USUARIO
$ chmod go-w /home/$USUARIO
$ mkdir /home/$USUARIO/site
$ chmod 644 /home/$USUARIO/site
$ chmod ug+rwX /home/$USUARIO/site
$ chown $USUARIO:sftp_group /home/$USUARIO/site
We give the user a password:
$ passwd $USUARIO
Edit the file / etc / fstab and add the following line, so that it will mount inside the user's folder, the folder where the web content is in mirror mode and so you can have access:
#Usuarios enjaulados
/var/www/sitioweb /home/DEVUser/site none bind,rw
And finally, as the user DEVUser that belongs to the group sftp_group and so that it can add and modify files that later have to be read by the apache user:
$ setfacl -R -d -m u:apache:rwx /var/www/sitioweb
$ setfacl -R -d -m g:apache:rwx /var/www/sitioweb
$ setfacl -R -m u:DEVUser:rwx /var/www/sitioweb
I did file upload tests with the user registered, and it works correctly, but we do not know if this would be the correct procedure for this case. If it is correct, here I leave it for everyone who wants to implement something similar.
Thank you!