My_webapp and SFTP permissions/Chroot user questions for clarification

ashworksco · August 8, 2022, 6:22am

I looked this up and didn’t see a clear explanation for my needs.

I have two users created on Yunohost so far.

I want to make one of them SFTP-only with chroot access to their own user directory, which I would theoretically then point their domain to that directory/subdirectory (in the case of multiple domains via A Name records and/or virtual hosts, I believe).

I can’t currently access SFTP just by assigning SFTP permissions to my own user account or the other person’s account that I am testing.

It sounds like my_webapp could be the most straightforward way to approach this via YNH’s workflow from my reading, but I am not sure–the information seems a little confusing.

Is there a way to link an existing user, i.e. a YNH user who currently has a directory now in /home/, to the my_webapp instance just created?

Or does this in effect create two users: one for accessing Yunohost, and one for logging in to SFTP?

And, would this installation of my_webapp get in the way of installing their own CMS (such as wordpress, or other web installations for that matter), for them within their chroot directory via YNH’s web admin? Or for this kind of thing, would it make more sense to go about this install via SSH instead?

I know this was linked in a previous discussion here, and this corresponds similarly to YNH’s own documentation to command line SFTP permissions: OpenSSH/Cookbook/File Transfer with SFTP - Wikibooks, open books for an open world

But from here, I don’t know what my next steps are–if I should use chroot separately from my_webapp, or with it based on my needs. And, if this is something that I need to address separately, as I can’t seem to access SFTP currently to test, despite permissions (via web admin) being applied.

I’m really enjoying using YNH so far! I want to be able to give whoever uses their website on my VPS the easiest time to access their files and applications under their domain(s), especially when they need to build their websites. Myself and the person in question are both used to CPanel, which has a different workflow than YNH. I am still relatively new to Linux in general and I have a lot to learn.

Thanks in advance for your patience and any help!

P.S.
Je sais lire un peu le français, mais ma grammaire et mon vocabulaire sont très rouillés si je réponds.

tituspijean · August 8, 2022, 7:07am

There’s a pending PR that I finished yesterday that adds a YunoHost inernal configuration panel for my webapp.

It offers to create an SSH/SFTP access to the webapp, with a chrooted shell.

github.com/YunoHost-Apps/my_webapp_ynh

Config Panel 1.0

YunoHost-Apps:testing ← Tagadda:fix-configpanel

opened 01:26PM - 31 Jan 22 UTC

Tagadda

+193 -95

## Problem Closes #72 ## Solution - *And how do you fix that problem* … ## PR Status - [ ] Code finished and ready to be reviewed/tested - [ ] The fix/enhancement were manually tested (if applicable) ## Automatic tests Automatic tests can be triggered on https://ci-apps-dev.yunohost.org/ *after creating the PR*, by commenting "!testme", "!gogogadgetoci" or "By the power of systemd, I invoke The Great App CI to test this Pull Request!". (N.B. : for this to work you need to be a member of the Yunohost-Apps organization)

If you want to test it:
sudo yunohost app install https://github.com/Tagadda/my_webapp_ynh/tree/fix-configpanel -f

It’s password-protected only though. Maybe you can create a /var/www/<my_webapp>/.ssh/authorized_keys to add you users’ pubkeys. (Untested)

ashworksco · August 8, 2022, 7:14am

I’m happy to test it.

Are you saying that this helps to establish existing users’ access to the directory?

Sorry, I might be overthinking this, but “webapp” to me means something different than “website,” but they may mean the same thing here for these purposes.

tituspijean · August 8, 2022, 2:36pm

If you give the password to anyone, they will have access to the www directory of the webapp.

If you use the pubkey method, then anyone with their pubkey registered will have access.

Regarding website/webapp conundrum, here they mean the same.

ashworksco · August 8, 2022, 5:14pm

Thank you for clarifying!

I was able to resolve my SFTP problem–I realized I was not configuring my client correctly, so I do at least have SFTP access, and that is working properly.

If I understand you correctly, if I want to use my_webapp to use chroot to bind SFTP access for someone to that directory, and if I want to give an existing user access, I should be able to, and this PR for Config Panel should facilitate that.

I know I can set up chroot separately if I want to manage manually applying it to a folder, via chroot - Debian Wiki but it seems like my_webapp is meant to fast track that.

My concern is as follows:

If I apply my_webapp to a domain I have added via the web admin, I am concerned that I will not be able to say, install a CMS as the index/root point via the web admin, as I have gotten “this domain will not be usable by other applications” as a warning in the past. I know there are ways around this, i.e. setting a virtual host to point to the CMS domain.ltd/CMS/ folder, but I do not know best practices for this, as I am self-taught up to this point. Or, my_webapp does not have that constraint, and I just don’t know about it.

Thank you again for your help!

system · August 23, 2022, 5:15pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.