2

I have an ec2 instance on AWS which already installed a few Wordpress-es in it. I want to set things up to let more people handle their own projects, with me also being able to go into the server using terminal if I still want to.

I have been following tutorials such as How to setup a restricted SFTP server on Ubuntu? and a few others. I figured all of them just teach users how to sftp into their own home folder, also the steps keep saying addUser but some users already existed and removing them might cause some issue.

How can I give existing users the permission to use SFTP for Wordpress projects?

Let's say all my Wordpress projects are already under /var/www/ which has already been set up with www-data:www-data.

Really new with setting things like this.

Thanks in advance for any help.

pa4080
  • 29,831
Dora
  • 445
  • 1
  • 9
  • 22
  • 1
    @pa4080 Your answer is quite lengthy and confusing, wouldn't it just be easier to show Op how to set up SSH and Give their users public keys? – EODCraft Staff Apr 12 '18 at 09:26
  • @EODCraftStaff the question is not about that. I'm assuming this is already achieved: I figured all of them just teaches how to sftp into their own home folder... The answer contains about 7 sentences. – pa4080 Apr 12 '18 at 09:31
  • Hi, Dora, I know you've asked the question longtime ago, but maybe you will like the update of my answer. – pa4080 Feb 28 '22 at 10:47

1 Answers1

4

Update: Recently I've converted this answer into a useful script and extensively start using it with VSCode and its SSH abilities. The script is now available at GitHub: bindfs-to-home-bash.

Here I'm assuming you are able to ssh/sftp to your user's home directory successfully and you want to edit (with your user) files and folders under /var/www that are owned by user and :group - www-data:www-data (without changing their ownership).

Here I'm assuming also the topic How to avoid using sudo when working in /var/www? doesn't cover you needs. For example you don't want to change the permissions under /var/www.

I think the most easiest and clear way to solve this task is to mount /var/www (or certain directory inside) into your user's home directory and change the owner to your user and :group. This could be achieved by the tool bindfs:

sudo apt update && sudo apt install bindfs

Here we will mount the entire directory /var/www in a directory called also www/ and located in your user's home directory.

mkdir "$HOME/www"
sudo bindfs -u $(id -u) -g $(id -g) --create-for-user=www-data --create-for-group=www-data /var/www "$HOME/www"

  • The command substitutions $(id -u) and $(id -g) will return the UID and GID of the current user.

  • If you want to execute the above command for another user use $(id -u <user>) and $(id -g <user>). Where <user> is an actual username.

  • For more details about the arguments used with bindfs read its manual page - man bindfs.

  • If you want to un-mount ~/www ($HOME/www) use the command:

      sudo fusermount -u ~/www

To mount /var/www in ~/www automatically during the system startup add the following line into the bottom of /etc/fstab:

bindfs#/var/www /home/<user>/www fuse force-user=<uid>,force-group=<gid>,create-for-user=www-data,create-for-group=www-data 0 0

  • Note: you should replace <user> with the actual username; also should replace <uid> and <gid> with the actual UID and GID of the <user>, you can find them by the commands: id -u <user> and id -u <user>.

  • To see the result reboot the system or execute:

      sudo mount -a    # maybe you should execute `sudo fusermount -u ~/www` first

Here is animated demo how this works:

enter image description here

The only limitation of this approach that I found is when you change the ownership of the bind directory this will change the ownership also for the source directory. For example the next command is not a good idea:

chown -R $(id -u):$(id -g) $HOME/www

Maybe there is a suitable option for the bindfs command that will prevent this to happen, but I can't tell that at the moment.

Notes:

pa4080
  • 29,831
  • I believe I am understanding the logic and so on but, let's say if I am setting this up for another user? I tried replacing $USER with another user's name but gives me something like this Not a valid group ID: – Dora Apr 12 '18 at 18:35
  • the user's name does exist though, I am able to use filezilla to sftp in with the username and password – Dora Apr 12 '18 at 18:36
  • Hi, @Dora, use the command id filezilla to fin to which group the user filezilla belongs to. Then use this group where it is needed. If you want post the output of id filezilla, maybe I could help. – pa4080 Apr 12 '18 at 18:48
  • 1
    oh oops by filezilla I meant the ftp software with gui. anyways I used id username as you mentioned and this is the outcome `uid=1002(username) gid=1002(ftpaccess) groups=1002(ftpaccess),33(www-data)

    `

     – Dora Apr 12 '18 at 18:51
  • @Dora: have you read this great topic: How to avoid using sudo when working in /var/www? ... The approach that I proposed here is different, but in this way you will be able to manipulate with the files more fluently. – pa4080 Apr 12 '18 at 18:59
  • I do like the way you proposed, but the avoid using sudo has to do with why I get the error of Not a valid group id:? – Dora Apr 12 '18 at 19:13
  • @Dora: According to the current answer: (1) the bindfs command should be: sudo bindfs -u username -g ftpaccess --create-for-user=www-data --create-for-group=www-data /var/www /path-to/mount-point (2) the etc/fstab directive: bindfs#/var/www /path-to/mount-point fuse force-user=username,force-group=ftpaccess,create-for-user=www-data,create-for-group=www-data 0 0 – pa4080 Apr 12 '18 at 19:17
  • @Dora, I've updated the answer. Actually instead of the user and its group names you can use their IDs - UID and GID - to find them use: id -u username and id -g username. – pa4080 Apr 12 '18 at 19:47
  • I'm happy to help you, @Dora! – pa4080 Apr 12 '18 at 20:57