Website User Management

Prerequisites

  • You have read and followed this instructions in configuring OpenSSH.
  • You have also read and followed the instructions on how to install and configure Apache & PHP.

Introduction

This section is about creating users that effectively tied with one or more websites. The method used relies on previous installation practices employed in other sections of this Wiki.

The key benefits to this overall approach are as follows:

  • Users will have remote file access through SFTP as opposed to standard FTP.
  • Users will be limited access to file system and will not be able to traverse above their home folder (chroot'd).

Create a New User

Use the useradd wizard to create a new user substituting the appropriate username. In addition we can assign can create their home folder in our website path and additionally assign them to our specially restricted filetransfer user group.

Naming Policy:
As a rule I use the website name (less any domain tld extensions) as the username. It gives me a good distinction between standard users and website users on my system. For example, website domain is mysite.com; username becomes mysite.

sudo useradd -d /www/username -G filetransfer username

We now need to restrict the user from creating files in the root of their home folder. We'll do this by making root the owner of this folder.

sudo chown root:root /www/username
sudo chmod 755 /www/username

We'll need to create a set of directories that the user does have full access to. In particular this is most likely to be a folder for their website files. I use the fairly standard public_html as the name for this folder.

sudo mkdir /www/username/public_html
sudo chown -R username:www-data public_html

NOTE: It is the path /www/username/public_html that will be later used as the DocumentRoot for this website in the Apache VirtualHost record.

Remote SFTP Access

We probably need to give this user access to their website files via an file transfer application. This could be done with a traditional service such as FTP but we can forgo the requirement for installing another daemon and use the previously install OpenSSH for SFTP connections. As we are fortunate to have a new enough version of OpenSSH installed we can also take advantage of it's chroot capabilities.

If you recall from the OpenSSH configuration page, by making this new user part of the filetransfer group will have already enforced the chroot functionality.

Enable SFTP Access for the user

Before they can access via SFTP we need to edit the /etc/ssh/sshd_config file and add this new user to the AllowUsers list.

Now we just need to restart OpenSSH for the changes to take effect:

sudo /etc/init.d/ssh restart

This new user should now be able to log into their accounts via SFTP and transfer files to and from the directories located beneath their home directories, but they shouldn't be able to see the rest of the server's filesystem.

Next Step…

We can now go on and setup a website for this user using the Setup a Website guide.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License