Root owned home directories - is it possible?

R

razixx

Hi guys, I'm not sure if what I'm doing is possible or considered secure so here it goes. I'm in the process of trying to set up a webserver with home directories residing in /var/www. Users will have their default shell set as nologin and be logging in through sftp. When I add a user, I would like the newly created directories to be owned by root:www_data and writable by group.

Is this possible or asking for trouble?
 
sftp won't allow the user to login if the user's homedirectory is group writable.

I would separate the homedirectories (and keep them only writeable and readable by the user) from the directories containing the actual files served by the webserver. In order for the users to more easily locate those, you could create a link in their directory pointing to for example /usr/local/www/www_data_for_user_X.
 
Thanks for the reply @stralle, I would have never thought of linking the public_html directory into the home folder. Seems like a more elegant solution.

For some reason I thought I had tested the group-writable directories with sftp, I had tried again and it didn't work.

Root still needs to own the home folders in order to allow the sftp connection though correct? It's how I currently have it set up and it seems to be working.
 
Last edited by a moderator:
Who owns the home directory of the user won't matter from the point of view of sftp. The man page of sshd(8) contains some pointers on permissions of critical paths, of which sftp is part of. The setting of StrictMode is what governs all this, which is default on and should be left in that state.

By setting root as the owner, you may run into problems with .history files not updating properly. As the purpose of all this was to set /sbin/nologin as shell, that won't be an issue though.
 
You must log in or register to reply here.
Back
Top