Linux – Setting Up FTP/SFTP Restricted Access for User

I run a server (Ubuntu 18.04) that hosts about a dozen websites using Linode. Most of the sites are run using WordPress and are my own or sites I manage for friends or family. I do, however, host one for a colleague who actively develops online content for that site.

As WordPress has developed, the ability to upload various file types has slowly been removed for security reasons. As a result, for certain types of files, it is now required to upload them using a different approach. I can do so using SSH, but GUI FTP/SFTP software was going to be easier in this situation as the person responsible for managing that site doesn’t have a lot of knowledge managing a website. I explained to this person, we’ll call her Sharon, that it would be possible for her to upload these files herself using FTP/SFTP. She was worried as she doesn’t know what that is or how to use it. But I explained it and, hopefully, she’ll grow more comfortable with it.

However, I don’t want a novice to gain access to all the files on my server. So, I was faced with the question of how to set up an FTP/SFTP account for someone that is restricted to just one folder – a folder where she can upload stuff and delete files, but with no access to anything else.

Here’s how I did it.

First, you should create a new user group on your server. This can be done with the following command:

sudo addgroup --system GROUPNAME

This will add a new user group called GROUPNAME (I called mine “ftpusers”). If this individual isn’t currently a user on your server, add them as a user as well:

sudo adduser --shell /bin/false USER

Replace “USER” with whatever name you’re using for this individual, for me it was “sharon.” You’ll need to create a password for your USER and fill in some additional information. Then add your USER to your GROUPNAME with the following command:

sudo usermod -a -G GROUPNAME USER

Or my command:

sudo usermod -a -G ftpusers sharon

So, you have now created a new group and a new user and added the new user to the new group. Of course, the next step is to restrict what your new USER can do. In particular, we want the user to have access to just a single directory. Here’s how that is done.

You can create a directory the user can use:

sudo mkdir -p /var/sftp/NEWFOLDER

This folder can be anywhere on your server. I put mine in a subfolder on their wordpress installation:

sudo mkdir -p /var/web/DOMAIN/public/wp-content/uploads/NEWFOLDER

Now, we need to tell the server to restrict USER to this NEWFOLDER when they login. First, let’s give ownership of that folder to the user with the chown command:

sudo chown USER:GROUPNAME /var/sftp/NEWFOLDER

We should also make sure the permissions for the new folder are what we want them to be – read/write for the user and group:

sudo chmod 755 /var/sftp/NEWFOLDER

If you navigate to that folder and check the settings, you should see that the owner is now the USER and the GROUPNAME (you can check with “ls -l”). It’s not a bad idea to also check to make sure that the folder above it is owned by “root” or your primary user, which will prevent your new USER from being able to make changes to that folder.

So far, we have a new USER and GROUPNAME and the user has a folder they can access. However, we need to tell the server that the user needs SFTP access and then need to force them to go to just that one folder when they login with SFTP.

To grant them SFTP access, you need to change the SSH settings:

sudo nano /etc/ssh/sshd_config

This will open the file “sshd_config” with a text editor (nano) so you can make changes. At the end of the file, you want to add the following text:

Match User GROUPNAME
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /var/sftp/NEWFOLDER
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no

This allows users in the group GROUPNAME SFTP access to the folder you created for them.

Before you close the nano session with “sshd_config”, you may have to change one other setting. Look for a line that says:

Subsystem sftp /usr/lib/openssh/sftp-server

Mine was not commented out, so that setting was active. However, given the settings we just added to the file, we need to change that. Comment out that line:

#Subsystem sftp /usr/lib/openssh/sftp-server

Below that line, add the following line:

Subsystem sftp internal-sftp

I’m guessing that the original line specified a location for the sftp-server to be used by the server but we want the server to determine the best location for the sftp-server it is going to use and that’s what the second line does. (Alternatively, in the text added to “sshd_config” the line “ForceCommand internal-sftp” could probably be left off, meaning you wouldn’t have to do the step I just described. I haven’t tried that, but it may work.)

Anyway, when you’re done editing the “sshd_config” file, save it and exit from nano.

Finally, to make sure that the new USER is forced into the specified folder when they login, you have to make one more change. This changes the home directory for the user so they are forced into that directory when they login. Here’s the command.

usermod -d /var/sftp/NEWFOLDER USER

This makes the folder you created (NEWFOLDER) the home directory for the USER so, when they log in using SFTP, they will be forced directly into that folder.

There you have it. You have a new user in a group with restricted SFTP access and the user will be forced directly into the folder you created where they can upload, modify, and delete content. They will not have access to anything else on the server, so the rest of your content will be safe.

Acknowledgments: I figured all of the above out with help from these sites: here, here, here, and here.

 1,702 total views,  4 views today

Virtual Private Hosting – How to Remove a Domain with Certbot SSL Certificate (on Ubuntu 16.04 with apache)

It used to be pretty easy to remove a domain from my Virtual Private Server – dissable the site in apache, delete the files, delete the underlying database, and remove the domain from my DNS manager. Done.

With SSL certificates now a standard part of hosting websites (see here), this is complicated by the removal of those certificates. I am extremely grateful to the EFF for providing a free way to get SSL certificates through certbot and letsencrypt. Adding domains with certbot is pretty easy, but changing the domains with certificates is not so easy. In fact, it’s pretty complicated and there aren’t great directions out there (which is why I put this guide together).

In this guide, I’ll show you how to remove a domain from a virtual private server (I use linode.com) along with removing the SSL certificate. I was hosting a domain and website for a friend, but that person decided they no longer needed the domain. Here’s how I removed it.

First, it’s always a good idea to back up the files associated with the domain, just in case. I use phpMyAdmin to manage my SQL databases. Log in to your phpMyAdmin site, find the database associated with your site, and select Export.

You shouldn’t need to change any options, just select “Go” and phpMyAdmin will export the entire database.

To download all the files associated with your site, you can zip them from an SSH terminal or download them via FTP. I use Filezilla. Find the folder that contains all the files for your website and download the whole thing.

Now that you have a backup of everything, it’s time to start unmounting.

First, you should dismount your site in apache.

sudo a2dissite [domain]

You also need to dismount the site with encryption, which is the same command, but with the following addition:

sudo a2dissite [domain]-le-ssl.conf

Then reload your apache2 configuration:

service apache2 reload.

If you’ve done everything correctly, when apache reloads, there won’t be any errors.

Next, delete the certificate associated with your domain in certbot. To delete the certificate associated with a specific domain, the command is:

certbot delete –cert-name [enter domain here]

That will delete the certificate associated with that domain.

You may also need to update your certificate profile by using the command:

certbot –apache

This will list all of the domains you have certificates for. You can then select all of the other domains on your server but drop the one you want to delete. That will create a new certificate with all of the domains minus the one you have deleted.

If you are wondering whether certbot has actually removed your domain, you can check by going to /etc/letsencrypt. You want to make sure that your domain is no longer showing up in either the /live,  /renewal, or /archive folders. If you still see it in there, it should be safe at this point to delete any folders with the name of the domain in it.

Next, you can delete the corresponding database. In phpMyAdmin, click on “Server: localhost” then click on “Databases.” Select the box next to the database you want to delete, then, at the bottom, click “Drop”. You’ll get a warning about destroying a database. Select OK and the database is gone.

We’re almost done. Now, delete the files for your site. You can do this with the rm command from the terminal or using your FTP client.

Now, you should delete the apache site files that are located in /etc/apache2/sites-available. These are the two that were dismounted earlier: [DOMAIN].conf and [DOMAIN]-le-ssl.conf.

You can restart the apache service one more time to make sure everything is working, but you should be good.

Finally, you can delete the domain from your DNS manager.

That should do it. The domain should now be gone, entirely, from your server.

 1,443 total views,  7 views today