Secure permissions for a LAMP server with SFTP Web developer access

I’m planning to set up a LAMP server on Ubuntu 20.04 with SFTP access. I’m specifically searching for information on how to securely set file and directory permissions for /var/www/html/ while allowing SFTP write access for a Web developer. The apache server (www-data) also needs write access to a few subdirectories/files. The LAMP setup guides that I’ve seen don’t explain secure permission settings, and there’s a lot of conflicting information out there. Does anyone know of a guide that explains how to securely set file and directory permissions or best practices for this use case?

Thanks

Hi @vintage ,

Welcome to the forum! Can you answer the follow?

  1. How many developers accounts are there on the server?
  2. How many websites or virtual hosts are there?

Here is how to configure SFTP for a web server document root for a LAMP server running on Ubuntu 20.04 LTS.

Step 1 - Login as root on the Ubuntu server

Use the su - or sudo -i:

sudo -i

Step 2 - Setting up a new directory structure for sftp and virtual host

Avoid using the /var/www/html. Instead, you need to set up a new directory structure as follows:

mkdir /wwwroots

Then create a new directory for storing html/php/css file

mkdir /wwwroots/public_html

Step 3 - Create sftp user and add to the www-data group

Create a new user called webadmin:

adduser webadmin

Then add that user to the www-data group, which is used by Apache 2 server:

usermod -a -G www-data webadmin
id webadmin

Step 4 - Update your sftp config on the LAMP server

Type:

vim /etc/ssh/sshd_config

Append config for the webadmin sftp user with /wwwroots directory:

Match User webadmin 
        ChrootDirectory /wwwroots
        ForceCommand internal-sftp 
        X11Forwarding no 
        AllowTcpForwarding no 
        PasswordAuthentication yes

Test and restart the sshd service:

sshd -t &&  systemctl reload ssh.service

Step 5 - Set correct permission for /wwwroots directory

The /wwwroots/ must be owned by the root user with 0755 permission for this to work.

sudo chmod 0755 /wwwroots/
chown root:root /wwwroots/
ls -ld /wwwroots/

Here is how it should look:

drwxr-xr-x 3 root root 4096 Nov 11 10:19 /wwwroots/

Then set up actual permission for the inside the /wwwroots/

cd /wwwroots/
chmod -R 0775 public_html/
#####################################################################
# Magic happens here as we give access to the www-data group, 
# which Apache users and webadmin users are part of the group. 
# In other words, anyone who is part of www-data group can access 
# the  /wwwroots/public_html directory. Hence, only add users those 
# need access.
#####################################################################
chown -R www-data:www-data public_html/
chmod -R g+s public_html/
ls -ld public_html/

Step 6 - Apache virtual config

Create/update /etc/apache2/sites-available/your-domain-com.conf

<Directory /wwwroots>
        Require all granted
</Directory>
<VirtualHost *:80>
        ServerName your-domain-com
        ServerAdmin webmaster@your-domain-com
        DocumentRoot /wwwroots/public_html
	ErrorLog ${APACHE_LOG_DIR}/your-domain-com_error.log
	CustomLog ${APACHE_LOG_DIR}/your-domain-com_access.log combined
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Make sure your restart the web server:

# enable your virtual host
a2ensite your-domain-com
systemctl reload apache2.service

Step 7 - Test it

Upload a test file using sftp and put test.php from the current directory to the server dir:

sftp webadmin@your-server-ip
put test.php

Fire a web browser:

https://your-domain/test.php

Now the webadmin user can upload/delete/update files using sftp but no ssh access granted. Web server can also write and read files.

1 Like

Thank you for the quick replies.

@monk - There will be one developer account and two virtual hosts.

@nixcraft - Thanks for the detailed reply. I have a test server running so I’ll set things up as you have outlined and begin testing.

@vintage let us know if you need any further assistance.

1 Like

Linux sysadmin blog - Linux/Unix Howtos and Tutorials - Linux bash shell scripting wiki