'Jailed' sftp user setup with Webmin?

1 post / 0 new
#1 Fri, 03/09/2018 - 10:17
JoeMurray

'Jailed' sftp user setup with Webmin?

I know enough Linux sysadmin to be dangerous but not enough to be reliably safe. :(

I have a new 16.04 VPS and have just installed webmin. I would like to setup a sftp user, william, via webmin who is allowed to write under /home/websitename/htdocs/ via SFTP and not cause problems with apache reading the files, which are all right now owned by www-data:www-data. Basically, they are designers and content folks, and this is a Joomla site. This should coexist with my developers having ssh access.

I don't want william to write elsewhere, and it would probably be good to prevent them viewing elsewhere. I've seen that Joe Cooper discourages using chroot to limit access (https://www.virtualmin.com/comment/706702#comment-706702), which I'm not sure I could do properly for my use case anyway as recipes like https://www.thegeekstuff.com/2012/03/chroot-sftp-setup/ generally focus on user directories and don't address working with apache readable files.

I think what I should do is:

  1. Navigate to System > Users and Groups
  2. click to Create a new user
  3. Leave most options at default, eg Primary Group set to Existing group users, except as follows
  4. Set Shell to /usr/sbin/nologin
  5. Set Secondary groups so www-data is In groups, though maybe not
  6. Set Create user in other modules to No as I don't want them to get email account etc
  7. Navigate to Servers > SSH Server
  8. Setup Access Control somehow :(

Questions:

  1. What groups should william be put in?
  2. What should the owner:group be for joomla files?
  3. What groups should the developers who shell in and need to modify files under /home/websitename/htdocs/ be put in?
  4. In SSH Server Access Control, it currently has All for Only allow user, Only allow members of groups, Deny Users and Deny members of groups. What should I change here?