Centos 6.3 + selinux+chroot sftp +Apache UserDir
- default install of Centos 6.3+httpd+selinux enabled
- setsebool -P ssh_chroot_rw_homedirs on
- setsebool -P httpd_enable_homedirs true
- edit /etc/httpd/conf/httpd.conf
- remove UserDir disabled
- uncomment #UserDir public_html
- add
- <Directory /home/*/public_html>
AllowOverride FileInfo AuthConfig Limit
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
<Limit GET POST OPTIONS>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>
- Restart httpd server
- edit /etc/ssh/sshd_config
- change Subsystem sftp /usr/libexec/openssh/sftp-server to Subsystem
sftp internal-sftp
- add at the end
- Match Group sftponly
ChrootDirectory /home/%u
AllowTcpForwarding no
ForceCommand internal-sftp
X11Forwarding no
- restart sshd server
- groupadd sftponly
- Add webuser1
- /usr/sbin/useradd -g sftponly -s /bin/false webuser1
/bin/chown -R root.root /home/webuser1
/bin/chmod -R 755 /home/webuser1
/bin/mkdir /home/webuser/public_html
/bin/chown webuser1:sftponly /home/webuser1/public_html
- download http://winscp.net/download/winscp512.zip
- use winscp to upload files to public_html and will be visible in
http://yourserver.com/~webuser1
- webuser1 do not have ssh access only sftp acces.