MVP Standards and Process

Experimental SFTP Setup Process.

An experimental SFTP process for when clients request access. Very rough.

Table of Contents

• Table of Contents
• Create a New Group
• Create a New User
• Setup the Website for the User (Experimental)
• Symlink the New Website Source (Experimental)
• Try it Out
• General Notes About this Process

Create a New Group

Create a new user group named sftp.

groupadd sftp

In /etc/ssh/sshd_config at the bottom of the file add the following snippet.

# /etc/ssh/sshd_config

Match Group sftp
	ChrootDirectory %h
	ForceCommand internal-sftp
	AllowFcpForwarding no

This creates a new user group that we will assign SFTP users to.

• ChrootDirectory %h locks users to their user home directory
• ForceCommand internal-sftp forces users to connect with internal-sftp.
• AllowFcpForwarding no prevents command forwarding. If you want to give the users MySQL access too then comment this part out.

Restart SSH to put the changes into effect.

service ssh restart

Create a New User

Create a new user, assign them to the correct groups, and limit ssh access. Linux has an automatted process that does much of this.

useradd username
usermod username -g www-data        // Add to the www-data group and make it primary
usermod username -a -G sftp         // add to sftp as a suplementary group
usermod username -s /bin/false      // prevent ssh access

mkhomedir_helper username
usermod username -d /home/username  // specify home dir if not set in adduser step

passwd username                     // set the password for the user

Setup the Website for the User (Experimental)

The most experimental part…

Create a new folder for the website and set correct permissions.

mkdir /home/username/public_html
chown -R username:username /home/username
chown root:root /home/username
chomd 755 /home/username

Copy the entire website from /var/www/example.com and put it into /home/username/public_html.

cp -r /var/www/example.com /home/username/public_html/

After this is done there are two things to look for.

1. Did the symlinks copy and update to the new file path correctly?
2. Did the hidden files get copied over? (e.g. .env, .htaccess)

After copying everything set the correct file permissions… again. This will ensure the added user can make file changes and WP can handle execution and uploads.

chown -R username:www-data /home/username/public_html
chown -R www-data:www-data /path/to/the/uploads/directory

Once you are satisfied that everything was copied correctly proceed.

Symlink the New Website Source (Experimental)

Symlink the new website to the /var/www/ folder for consistency with the other websites.

ln -s /home/username/public_html /var/www/example.com

Suggestion: It might be safer, if there is already a live website located at /var/www/example.com, to symlink to a different name. Such as ```/var/www/example.symlink`. Using the .symlink makes this more transparent at a glance, and doesn’t replace the existing site (if there is one).

Try it Out

Update the Nginx/Apache conf file for the website and point it at the /var/www/example.symlink file. And then restart. Fingers crossed you are good. Otherwise have the file ready for a quick undo.

General Notes About this Process

1. I’m not sure if it is necessary to put the symlink in the /var/www/ folder and to point Nginx/Apache at it.
2. It might be worth trying to set the user home directory as /var/www/example.com… but in the past users have been able to back out of the directory and see the list of active websites. Putting in /home/username has been much more effective at containing the user.