Centos 6.3 + selinux+chroot sftp +Apache UserDir

• default install of Centos 6.3+httpd+selinux enabled
• setsebool -P ssh_chroot_rw_homedirs on
• setsebool -P httpd_enable_homedirs true
• edit /etc/httpd/conf/httpd.conf
  • remove   UserDir disabled
  • uncomment #UserDir public_html
  • add
    • <Directory /home/*/public_html>
      AllowOverride FileInfo AuthConfig Limit
      Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
      <Limit GET POST OPTIONS>
      Order allow,deny
      Allow from all
      </Limit>
      <LimitExcept GET POST OPTIONS>
      Order deny,allow
      Deny from all
      </LimitExcept>
      </Directory>
      
• Restart httpd server
• edit /etc/ssh/sshd_config
  • change Subsystem sftp /usr/libexec/openssh/sftp-server to Subsystem sftp internal-sftp
  • add at the end
    • Match Group sftponly
      ChrootDirectory /home/%u
      AllowTcpForwarding no
      ForceCommand internal-sftp
      X11Forwarding no
      
• restart sshd server
• groupadd sftponly
• Add webuser1
  • /usr/sbin/useradd -g sftponly -s /bin/false webuser1
    /bin/chown -R root.root /home/webuser1
    /bin/chmod -R 755 /home/webuser1
    /bin/mkdir /home/webuser/public_html
    /bin/chown webuser1:sftponly /home/webuser1/public_html
• download http://winscp.net/download/winscp512.zip
• use winscp to upload files to public_html and will be visible in http://yourserver.com/~webuser1
• webuser1 do not have ssh access only sftp acces.