Following Problem: We run a CentOS webserver and would like to grant access for an external contractor which only needs to access our webfolder ''/var/www' to Modify/Upload files.
What I tried was setting up SFTP jailing (according to the following documentation: http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/), but I can't make it work because of the following reason: The whole webfolder has assigned the Apache User apache:apache as usual in CentOS. But SFTP needs to have root:root ownership otherwise following error appears:
fatal: bad ownership or modes for chroot directory component "/var/www/" [postauth] So how can I setup SFTP or an other solution in order to keep the "www" folder apache:apache owned and allow an other user to access it?
Are there other options to solve this problem then SFTP or is SFTP the right thing to do?
Thank you in advance for your help!
I finally used SFTP to solve the mentioned problem. The main issues where the file permissions. I did the following steps (running CentOS 7.2):
Folder Permissions Following file permissions where set. Including the sticky bit (explained after the code).
Create Group and Users
Create user for external provider and set new password.
Setup sftp-server Subsystem in sshd_config
Outcomment existing Subsystem and and add:
Add add the end of sshd_config
Restart sshd service
Login via SFTP to test the connection
Security
SELinux is enforcing and was never en issue concerning this SFTP setup.