0

I am getting following error in auth.log when trying to connect to site using SFTP.

fatal: bad ownership or modes for chroot directory "/var/www"

ls -ld of this directory shows this:

drwxrwxr-x 4 root sftponly 4096 Aug 12 04:05 /var/www/

As you can see I have given full permission to group sftponly. The user through which I am connecting to SFTP is mysftpuser which is part of sftponly group.

If I do following then I can connect but cannot rename, edit, delete, overwrite any file or folder inside www

sudo chmod 755 /var/www/

Here's my sshd_config setting

Match group sftponly
ChrootDirectory /var/www
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

So in short sudo chmod 755 /var/www/ allows me to connect but only in READ only mode. sudo chmod 775 /var/www/ doesn't even allow me to connect.

How to fix this issue?

Frank Martin
  • 223
  • Anyone has a suggestion? I have been trying for hours to fix this issue but no luck? I created a new dir inside /var/www but it has the same issue. Even if I give 777 permission on /var/www then I cannot connect to SFTP. It will only connect if /var/www/ has 755 permission but then it won't let me delete, rename etc. – Frank Martin Aug 12 '17 at 16:02
  • sftponly probably have less permissions on child files and directories, then on /var/www itself. If changing modes recursively is an option, that's your next step: chmod -R 775 /var/www. – doriclazar Aug 12 '17 at 16:34
  • I have already done this and it didn't solve the problem. Even if I give full permissions 777, I cannot connect. – Frank Martin Aug 12 '17 at 18:11
  • Frank, you don't need other users to have full permissions (777), you need users of sftponly group to have read, write, and optional - to execute all enclosed files and folders. You achieve that by: chmod -R 775 /var/www, and by making this group owner of child files and directories: chown -R root:sftponly /var/www. – doriclazar Aug 13 '17 at 15:08
  • 1
    Possible duplicate of openSSH connection reset by peer – Jakuje Aug 13 '17 at 20:43

2 Answers2

1

Here's the commands you need:

usermod -d /var/www/ sftponly
usermod -s /sbin/nologin sftponly
usermod -s /bin/false sftponly

After this best way to give permissions for any user to any folder is ACL:

setfacl -Rm "u:sftponly:rwx" /var/www/
setfacl -Rdm "u:sftponly:rwx" /var/www/
Giacomo1968
  • 55,001
Samir Ahmadli
  • 11
0

Sounds like your permissions are too permissive for SFTP. You will need to create a folder for the user and let him access it with 0700 permissions or even more restrictive than that.

See this question's answer for more info Server Fault Question

lgflorentino
  • 38
  • 6