Create ftp user only with rights to /var/www/html

Thias79 · August 5, 2023, 10:52am

How do I create an ftp user that only has access to the folder /var/www/html and wordpress? And nothing else?

CanadaGuy · August 5, 2023, 1:55pm

What do you mean “access”? Does this user need shell access or just ftp?

as you can see there’s a few questions to provide a meaningful answer.

Thias79 · August 5, 2023, 2:10pm

Need an FTP user who only accesses the folder /var/www/html this to be able to upload theme files and other for example WordPress

mikew · August 5, 2023, 6:38pm

Forget FTP, it’s an insecure protocol. If a user needs to upload files then they should use SFTP, which is file transfer over SSH.
If you want to limit a user to only being able to access a specific directory, look at using ChrootDirectory in sshd configuration.
If you want to limit a user to only being able to transfer files and not get a shell to run commands then look at using ForceCommand in sshd configuration.
There’s umpteen guides to this sort of thing e.g. CentOS / RHEL : How to Set up SFTP to Chroot Jail only for Specific Group – The Geek Diary That guide, like all the others I can find with a very quick look, tells you put the configuration in sshd_config but if you’re using AlmaLinux 9 then it’s better to put your own configuration in a file in /etc/ssh/sshd_config.d/ (Same if AlmaLInux 8 has a version of openSSH which supports /etc/ssh/sshd_config.d/ I don’t know if it does or not.)

Thias79 · August 6, 2023, 10:28am

I don’t run unencrypted ftp. I use Let’s Encrypt SSL / TLS. When I connect with FTP

mikew · August 6, 2023, 3:41pm

So FTPS then? I repeatedly forget that FTPS exists. I’ve never found any explanation for why anyone would go the effort of setting that up instead of using SFTP which is available by default (assuming an SSH server is running , which it almost certainly is). Out of curiosity, why are you using it?

Philip · August 7, 2023, 12:55am

Take a look at vsftp server config - specifically, setting it up to chroot to the home directory of the user logged in.

So you would create a web user with home directory /var/www/html and configure the vsftp server to allow that user to connect and to chroot when it does.

https://www.cyberciti.biz/tips/vsftp-chroot-users-limit-to-only-their-home-directory.html

Thias79 · October 13, 2023, 8:59am

I have now added the following lines to the SSHD_Config file

Match Group sftp
        ChrootDirectory /var/www/html/
        ForceCommand internal-sftp
        X11Forwarding no
        AllowTcpForwarding no
        PasswordAuthentication yes

But the one it doesn’t really want to connect

Are it the rights on the catalogs themselves that are incorrect or do I have to change group that owns the catalog/where/www/html