As it's easy to configure a SFTP server following the documentation, I cannot find any answer to my "specific" demand, even if it looks a basic one and I'm sure I'm not alone in that case..
I have an apache server for several websites, in the /var/www directory. I want to offer read and write access to someone to help me debugging and tried different configurations, but I cannot find one that :
-give the access directly to the directory /var/www/mysite
-give the rw rights without fear for security
SSH access with keys is ok. User is in sftp group AND www-data group (the apache group for ubuntu servers)
In /etc/ssh/sshd_config, if I put
Match Group sftp
ChrootDirectory /var/www/mysite
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
it doesn't work : sshd[674668]: fatal: bad ownership or modes for chroot directory "/var/www/mysite"
If I put only ChrootDirectory /var/www I can connect and see all the directories of www (not good), and of course cannot write in "mysite" directory if I keep it 755 as recommended.
My 2 questions are pretty simple :
how can I configure SFTP to give access to /var/www/mysite directory and not all the other under www ? (why it doesn't work with my config ?)
is it safe tu put in 775 the directory /var/www/mysite and all its sub directories, as it's a public website ? (same question for the files, that will need to be 664 to be modified)
EDIT :
As far as I can understand the Apache documentation and other questions on the subject, it's better to change the group of /var/www/mysite to avoid www-data user to have write access
So part of the solution could be :
sudo chgrp -R webmasters /var/www/mysite
sudo chmod -R g=rwX /var/www/mysite/
but I still cannot manage to have direct access to mysite directory when I connect with SFTP...
Thanks a million !
Manuel
