I know enough Linux sysadmin to be dangerous but not enough to be reliably safe.
I have a new 16.04 VPS and have just installed webmin. I would like to setup a sftp user, william, via webmin who is allowed to write under /home/websitename/htdocs/ via SFTP and not cause problems with apache reading the files, which are all right now owned by www-data:www-data. Basically, they are designers and content folks, and this is a Joomla site. This should coexist with my developers having ssh access.
I don’t want william to write elsewhere, and it would probably be good to prevent them viewing elsewhere. I’ve seen that Joe Cooper discourages using chroot to limit access (https://www.virtualmin.com/comment/706702#comment-706702), which I’m not sure I could do properly for my use case anyway as recipes like https://www.thegeekstuff.com/2012/03/chroot-sftp-setup/ generally focus on user directories and don’t address working with apache readable files.
I think what I should do is:
- Navigate to System > Users and Groups
- click to Create a new user
- Leave most options at default, eg Primary Group set to Existing group users, except as follows
- Set Shell to /usr/sbin/nologin
- Set Secondary groups so www-data is In groups, though maybe not
- Set Create user in other modules to No as I don't want them to get email account etc
- Navigate to Servers > SSH Server
- Setup Access Control somehow :(
Questions:
- What groups should william be put in?
- What should the owner:group be for joomla files?
- What groups should the developers who shell in and need to modify files under /home/websitename/htdocs/ be put in?
- In SSH Server Access Control, it currently has All for Only allow user, Only allow members of groups, Deny Users and Deny members of groups. What should I change here?