V
V
Vladislav Ross2012-08-28 09:42:42
Apache HTTP Server
Vladislav Ross, 2012-08-28 09:42:42

What is the best way to organize sftp access to a web server?

Given: apache web server, site files belong to apache:apache, permissions are mostly 0755.

Which user is better to use sftp?

Create a new user, put it in the apache group, change permissions to 0775 and change umask?
Or change the apache user: add a password and shell to it and log in as it?
Or is there some more reasonable option? How is it better?

Answer the question

In order to leave comments, you need to log in

5 answer(s)
A
Alexey Sundukov, 2012-08-28
@gag_fenix

I will assume that PHP is used. Install php-fpm and run it as the required user. We give the same to the user and ssh. Both php-fpm and ssh can be chrooted.
It is also possible for apache to run workflows for each site from under your user. But I haven’t been using this web server for a very long time, I don’t remember the details, but everything is in the office. documentation.
If the site is generally the only one (somehow on a vps), then " user apache: add a password and shell to it and go under it ".

A
admin4eg, 2012-08-28
@admin4eg

I have done this with
apache-itk
configured sftp access with chroot
User home folder = home folder of the virtual host, Apache accepts those files that are created by the user, if someone else, purely hypothetically, does something in his folder, Apache will not let it out.

M
marchelly, 2012-08-28
@marchelly

Here is a working solution, in a few copy pastes:
www.jamison.org/2010/12/04/how-to-configure-wordpress-for-automatic-ftps-updates-using-vsftp-in-ubuntu/
Yes, it is for Wordpress, but it doesn't affect anything.

E
Ergil Osin, 2012-08-28
@Ernillew

We already said about chroot a little higher
In /etc/ssh/sshd_config we write something like
Match User our-user ChrootDirectory /chroot AllowTCPForwarding no X11Forwarding no ForceCommand internal-sftp
the user our-user ~ lives at /chroot/our-user
in it we make a directory in which we want to write-read
rights to ~ we do something- then, like our-user:www-data 6770
on the server we need, we mount a specific directory via sshfs (sftp over fuse), and those who try to get out will not go far because this user cannot log in, because ForceCommand.
More or less like this.
Then you can dig yourself, if you can knock on me.

V
voffkared, 2014-10-09
@voffkared

Configure sftp from under proftpd.
https://www.digitalocean.com/community/tutorials/h...
https://www.digitalocean.com/community/tutorials/h...
During setup:
Add a new user to :apache with /bin/ bash.
If it does not connect, then check and add / comment out in the proftpd config:

UseFtpUsers off
# Set the user and group that the server normally runs at.
#User                           proftpd
#Group                          nogroup

Otherwise, look towards selinux.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question