My_webapp and SFTP permissions/Chroot user questions for clarification

I looked this up and didn’t see a clear explanation for my needs.

I have two users created on Yunohost so far.

I want to make one of them SFTP-only with chroot access to their own user directory, which I would theoretically then point their domain to that directory/subdirectory (in the case of multiple domains via A Name records and/or virtual hosts, I believe).

I can’t currently access SFTP just by assigning SFTP permissions to my own user account or the other person’s account that I am testing.

It sounds like my_webapp could be the most straightforward way to approach this via YNH’s workflow from my reading, but I am not sure–the information seems a little confusing.

Is there a way to link an existing user, i.e. a YNH user who currently has a directory now in /home/, to the my_webapp instance just created?

Or does this in effect create two users: one for accessing Yunohost, and one for logging in to SFTP?

And, would this installation of my_webapp get in the way of installing their own CMS (such as wordpress, or other web installations for that matter), for them within their chroot directory via YNH’s web admin? Or for this kind of thing, would it make more sense to go about this install via SSH instead?

I know this was linked in a previous discussion here, and this corresponds similarly to YNH’s own documentation to command line SFTP permissions: OpenSSH/Cookbook/File Transfer with SFTP - Wikibooks, open books for an open world

But from here, I don’t know what my next steps are–if I should use chroot separately from my_webapp, or with it based on my needs. And, if this is something that I need to address separately, as I can’t seem to access SFTP currently to test, despite permissions (via web admin) being applied.

I’m really enjoying using YNH so far! I want to be able to give whoever uses their website on my VPS the easiest time to access their files and applications under their domain(s), especially when they need to build their websites. Myself and the person in question are both used to CPanel, which has a different workflow than YNH. I am still relatively new to Linux in general and I have a lot to learn.

Thanks in advance for your patience and any help!

Je sais lire un peu le français, mais ma grammaire et mon vocabulaire sont très rouillés si je réponds.

There’s a pending PR that I finished yesterday that adds a YunoHost inernal configuration panel for my webapp.

It offers to create an SSH/SFTP access to the webapp, with a chrooted shell.

If you want to test it:
sudo yunohost app install -f

It’s password-protected only though. Maybe you can create a /var/www/<my_webapp>/.ssh/authorized_keys to add you users’ pubkeys. (Untested)

1 Like

I’m happy to test it.

Are you saying that this helps to establish existing users’ access to the directory?

Sorry, I might be overthinking this, but “webapp” to me means something different than “website,” but they may mean the same thing here for these purposes.

If you give the password to anyone, they will have access to the www directory of the webapp.

If you use the pubkey method, then anyone with their pubkey registered will have access.

Regarding website/webapp conundrum, here they mean the same.

Thank you for clarifying!

I was able to resolve my SFTP problem–I realized I was not configuring my client correctly, so I do at least have SFTP access, and that is working properly.

If I understand you correctly, if I want to use my_webapp to use chroot to bind SFTP access for someone to that directory, and if I want to give an existing user access, I should be able to, and this PR for Config Panel should facilitate that.

I know I can set up chroot separately if I want to manage manually applying it to a folder, via chroot - Debian Wiki but it seems like my_webapp is meant to fast track that.

My concern is as follows:

If I apply my_webapp to a domain I have added via the web admin, I am concerned that I will not be able to say, install a CMS as the index/root point via the web admin, as I have gotten “this domain will not be usable by other applications” as a warning in the past. I know there are ways around this, i.e. setting a virtual host to point to the CMS folder, but I do not know best practices for this, as I am self-taught up to this point. Or, my_webapp does not have that constraint, and I just don’t know about it.

Thank you again for your help!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.