[TriLUG] Proper way to allowing remote sftp to nginx web server

Matt Flyer via TriLUG trilug at trilug.org
Fri Apr 1 10:43:59 EDT 2016 

The first thing that jumps out at me is the question of permissions for nginx.  I would think it would need only read capability on the directories.  I'n one setup I use, I set the directories to group write but the server (user ID) is not part of that group and the files are owned by root.  I guess I'm confused about the problem your group changes caused and would be concerned about a security loophole.

As far as file transfers, I'm not really familiar with SFTP, but if the user has ssh access they should be  able to use SCP.

Sent from my iPad

> On Apr 1, 2016, at 10:13 AM, Ronald Kelley via TriLUG <trilug at trilug.org> wrote:
> 
> Greetings all.
> 
> I need to allow remote sftp access to one of our servers for some web development.  I have setup a chroot sftp environment (per https://wiki.archlinux.org/index.php/SFTP_chroot) but am running into a permissions dilemma and need some advice. 
> 
> Everything is working as expected - the user can login via sftp and change to the web server’s root directory.  However, since the UID/GID of the remote user (ie: 9801:9801) does not match the web server’s UID/GID (nginx  1504:1504), the remote user can’t write files to the web server directory.  If I put the user in the same group as nginx, the UID permissions are wrong and the web server has problems.  I was hoping I could fine some sort of UID/GID remapping option for sshd but have not found anything yet.
> 
> Short of using nginx’s UID/GID for the remote user in /etc/passwd, how can I get sshd to remap the IDs?  What is the proper security fix?
> 
> Thanks in advance.
> 
> -Ron
> -- 
> This message was sent to: Matt Flyer <matt at noway2.thruhere.net>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web    : http://www.trilug.org/mailman/options/trilug/matt%40noway2.thruhere.net
> Welcome to TriLUG: http://trilug.org/welcome

More information about the TriLUG mailing list