It is difficult to find an SFTP configuration instruction suitable for website directories on the Internet. After tossing for a long time, I will write a complete one. If you find Chinese difficult to understand, please read a concise English configuration method http://www.linuxtechi.com/configure-chroot-sftp-in-linux/ .
First of all, it is said that if selinux is enabled and configured, it may not be able to connect (I did not test).
Suppose the website directory: /var/wwwroot/xxx.com/public_html (why have subdirectories, there is a reason, see later);
The files in the directory belong to www:www (php-fpm user and group), why should I use the www group? It is to ensure user and php share group permissions. Because when we configure permissions for the web directory, we often give folders 775, 755 or 750, other groups often have insufficient permissions, and the newly created or modified and retransmitted files have too low permissions, so that PHP cannot be read with group permissions.
// Add an SFTP group # groupadd www // Disable shell, home directory /var/wwwroot/xxx.com, group www .
// If user does not exist: # useradd -s /bin/nologin -d /var/wwwroot/xxx.com -g www sftp_david // If user exists, modify this user: # usermod -s /bin/nologin -d /var/wwwroot/xxx.com -g www sftp_david // Set the password for this user # passwd sftp_david
If there are no other errors so far, SFTP can already log in, but at this time the user can browse too many files, almost the entire system! It has to restrict its access to the directory.
# vim /etc/ssh/sshd_config
// Find the Subsystem sftp line and comment it out, add the following line:
Subsystem sftp internal-sftp
// Add the following at the end of the file to restrict the group to only access the home directory:
Match Group www // also Match User sftp_david
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
// save and restart. If the network is not good, do not rush to restart, so as not to restart the failure and cause the current ssh connection to fail
# service sshd restart
Permission changes:
SFTP has a unique place, the user of the folder above the user's home directory must be root and you have write permission.
In this example, the home directory is /var/wwwroot/xxx.com, and the user must be root at each level of the folder, and the SFTP account cannot be used with write permissions (not allowed through group), otherwise the connection will be refused.
# cd /var/wwwroot/xxx.com # chown root:root . // xxx.com is the home directory, set it as root # chown sftp_david:www public_html # chmod 775 public_html
The above is the meaning of the existence of the public_html subfolder - the account cannot have the folder of xxx.com to write, and it cannot upload files under it. So I want to build a subfolder of public_html, which can be uploaded arbitrarily under it.
At the same time, add the user sftp_david to the www group to have the permissions of the www group
# usermod -s /sbin/nologin -d /var/wwwroot/xxx.com/public_html -G www sftp_david
Finish!
In addition, if the group permissions under public_html are folder <7, file <6: execute (because I rely on group permissions to operate files):
# cd xxx.com
# find . -type d -exec chmod g=rwx {} \;
# find . -type f -exec chmod g=rw {} \;
Remember not to give x permission to the file.
Description of common parameters for user operation (see -h for others):
-a The way to add. This parameter can be used to add a user to multiple groups
-d specifies the home directory, which is the directory you enter when you log in
-M
-s Usually set: /bin/false disable any login (including shell), /sbin/nologin disable login but allow SFTP
-G and add user to this group (create group at the same time)
-g add this user to this group (do not create a group)
Reprinted in: https://www.cnblogs.com/antartican/p/3986523.html