bad ownership or modes for chroot directory “/var/www”
I am getting following error in auth.log when trying to connect to site using SFTP.
fatal: bad ownership or modes for chroot directory "/var/www"
ls -ld of this directory shows this:
drwxrwxr-x 4 root sftponly 4096 Aug 12 04:05 /var/www/
As you can see I have given full permission to group sftponly. The user through which I am connecting to SFTP is mysftpuser which is part of sftponly group.
If I do following then I can connect but cannot rename, edit, delete, overwrite any file or folder inside www
sudo chmod 755 /var/www/
Here's my sshd_config setting
Match group sftponly
ChrootDirectory /var/www
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
So in short sudo chmod 755 /var/www/ allows me to connect but only in READ only mode. sudo chmod 775 /var/www/ doesn't even allow me to connect.
How to fix this issue?
ssh debian sftp chmod sshd
asked Aug 12 '17 at 14:21
Frank Martin
13427
add a comment |
I am getting following error in auth.log when trying to connect to site using SFTP.
fatal: bad ownership or modes for chroot directory "/var/www"
ls -ld of this directory shows this:
drwxrwxr-x 4 root sftponly 4096 Aug 12 04:05 /var/www/
As you can see I have given full permission to group sftponly. The user through which I am connecting to SFTP is mysftpuser which is part of sftponly group.
If I do following then I can connect but cannot rename, edit, delete, overwrite any file or folder inside www
sudo chmod 755 /var/www/
Here's my sshd_config setting
Match group sftponly
ChrootDirectory /var/www
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
So in short sudo chmod 755 /var/www/ allows me to connect but only in READ only mode. sudo chmod 775 /var/www/ doesn't even allow me to connect.
How to fix this issue?
ssh debian sftp chmod sshd
asked Aug 12 '17 at 14:21
Frank Martin
13427
Anyone has a suggestion? I have been trying for hours to fix this issue but no luck? I created a new dir inside/var/wwwbut it has the same issue. Even if I give 777 permission on/var/wwwthen I cannot connect to SFTP. It will only connect if/var/www/has 755 permission but then it won't let me delete, rename etc.
– Frank Martin
Aug 12 '17 at 16:02
sftponly probably have less permissions on child files and directories, then on /var/www itself. If changing modes recursively is an option, that's your next step:chmod -R 775 /var/www.
– doriclazar
Aug 12 '17 at 16:34
I have already done this and it didn't solve the problem. Even if I give full permissions 777, I cannot connect.
– Frank Martin
Aug 12 '17 at 18:11
Frank, you don't need other users to have full permissions (777), you need users ofsftponlygroup to have read, write, and optional - to execute all enclosed files and folders. You achieve that by:chmod -R 775 /var/www, and by making this group owner of child files and directories:chown -R root:sftponly /var/www.
– doriclazar
Aug 13 '17 at 15:08
1
Possible duplicate of openSSH connection reset by peer
– Jakuje
Aug 13 '17 at 20:43
add a comment |
I am getting following error in auth.log when trying to connect to site using SFTP.
fatal: bad ownership or modes for chroot directory "/var/www"
ls -ld of this directory shows this:
drwxrwxr-x 4 root sftponly 4096 Aug 12 04:05 /var/www/
As you can see I have given full permission to group sftponly. The user through which I am connecting to SFTP is mysftpuser which is part of sftponly group.
If I do following then I can connect but cannot rename, edit, delete, overwrite any file or folder inside www
sudo chmod 755 /var/www/
Here's my sshd_config setting
Match group sftponly
ChrootDirectory /var/www
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
So in short sudo chmod 755 /var/www/ allows me to connect but only in READ only mode. sudo chmod 775 /var/www/ doesn't even allow me to connect.
How to fix this issue?
ssh debian sftp chmod sshd
asked Aug 12 '17 at 14:21
Frank Martin
13427
I am getting following error in auth.log when trying to connect to site using SFTP.
fatal: bad ownership or modes for chroot directory "/var/www"
ls -ld of this directory shows this:
drwxrwxr-x 4 root sftponly 4096 Aug 12 04:05 /var/www/
As you can see I have given full permission to group sftponly. The user through which I am connecting to SFTP is mysftpuser which is part of sftponly group.
If I do following then I can connect but cannot rename, edit, delete, overwrite any file or folder inside www
sudo chmod 755 /var/www/
Here's my sshd_config setting
Match group sftponly
ChrootDirectory /var/www
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
So in short sudo chmod 755 /var/www/ allows me to connect but only in READ only mode. sudo chmod 775 /var/www/ doesn't even allow me to connect.
How to fix this issue?
ssh debian sftp chmod sshd
ssh debian sftp chmod sshd
asked Aug 12 '17 at 14:21
Frank Martin
13427
asked Aug 12 '17 at 14:21
Frank Martin
13427
asked Aug 12 '17 at 14:21
Frank Martin
13427
asked Aug 12 '17 at 14:21
Frank Martin
13427
asked Aug 12 '17 at 14:21
Frank Martin
13427
13427
Anyone has a suggestion? I have been trying for hours to fix this issue but no luck? I created a new dir inside/var/wwwbut it has the same issue. Even if I give 777 permission on/var/wwwthen I cannot connect to SFTP. It will only connect if/var/www/has 755 permission but then it won't let me delete, rename etc.
– Frank Martin
Aug 12 '17 at 16:02
sftponly probably have less permissions on child files and directories, then on /var/www itself. If changing modes recursively is an option, that's your next step:chmod -R 775 /var/www.
– doriclazar
Aug 12 '17 at 16:34
I have already done this and it didn't solve the problem. Even if I give full permissions 777, I cannot connect.
– Frank Martin
Aug 12 '17 at 18:11
Frank, you don't need other users to have full permissions (777), you need users ofsftponlygroup to have read, write, and optional - to execute all enclosed files and folders. You achieve that by:chmod -R 775 /var/www, and by making this group owner of child files and directories:chown -R root:sftponly /var/www.
– doriclazar
Aug 13 '17 at 15:08
1
Possible duplicate of openSSH connection reset by peer
– Jakuje
Aug 13 '17 at 20:43
add a comment |
Anyone has a suggestion? I have been trying for hours to fix this issue but no luck? I created a new dir inside/var/wwwbut it has the same issue. Even if I give 777 permission on/var/wwwthen I cannot connect to SFTP. It will only connect if/var/www/has 755 permission but then it won't let me delete, rename etc.
– Frank Martin
Aug 12 '17 at 16:02
sftponly probably have less permissions on child files and directories, then on /var/www itself. If changing modes recursively is an option, that's your next step:chmod -R 775 /var/www.
– doriclazar
Aug 12 '17 at 16:34
I have already done this and it didn't solve the problem. Even if I give full permissions 777, I cannot connect.
– Frank Martin
Aug 12 '17 at 18:11
Frank, you don't need other users to have full permissions (777), you need users ofsftponlygroup to have read, write, and optional - to execute all enclosed files and folders. You achieve that by:chmod -R 775 /var/www, and by making this group owner of child files and directories:chown -R root:sftponly /var/www.
– doriclazar
Aug 13 '17 at 15:08
1
Possible duplicate of openSSH connection reset by peer
– Jakuje
Aug 13 '17 at 20:43
Anyone has a suggestion? I have been trying for hours to fix this issue but no luck? I created a new dir inside
/var/www but it has the same issue. Even if I give 777 permission on /var/www then I cannot connect to SFTP. It will only connect if /var/www/ has 755 permission but then it won't let me delete, rename etc.– Frank Martin
Aug 12 '17 at 16:02
Anyone has a suggestion? I have been trying for hours to fix this issue but no luck? I created a new dir inside
/var/www but it has the same issue. Even if I give 777 permission on /var/www then I cannot connect to SFTP. It will only connect if /var/www/ has 755 permission but then it won't let me delete, rename etc.– Frank Martin
Aug 12 '17 at 16:02
sftponly probably have less permissions on child files and directories, then on /var/www itself. If changing modes recursively is an option, that's your next step:
chmod -R 775 /var/www.– doriclazar
Aug 12 '17 at 16:34
sftponly probably have less permissions on child files and directories, then on /var/www itself. If changing modes recursively is an option, that's your next step:
chmod -R 775 /var/www.– doriclazar
Aug 12 '17 at 16:34
I have already done this and it didn't solve the problem. Even if I give full permissions 777, I cannot connect.
– Frank Martin
Aug 12 '17 at 18:11
I have already done this and it didn't solve the problem. Even if I give full permissions 777, I cannot connect.
– Frank Martin
Aug 12 '17 at 18:11
Frank, you don't need other users to have full permissions (777), you need users of
sftponly group to have read, write, and optional - to execute all enclosed files and folders. You achieve that by: chmod -R 775 /var/www, and by making this group owner of child files and directories: chown -R root:sftponly /var/www.– doriclazar
Aug 13 '17 at 15:08
Frank, you don't need other users to have full permissions (777), you need users of
sftponly group to have read, write, and optional - to execute all enclosed files and folders. You achieve that by: chmod -R 775 /var/www, and by making this group owner of child files and directories: chown -R root:sftponly /var/www.– doriclazar
Aug 13 '17 at 15:08
1
1
Possible duplicate of openSSH connection reset by peer
– Jakuje
Aug 13 '17 at 20:43
Possible duplicate of openSSH connection reset by peer
– Jakuje
Aug 13 '17 at 20:43
add a comment |
2 Answers
2
active
oldest
votes
Sounds like your permissions are too permissive for SFTP. You will need to create a folder for the user and let him access it with 0700 permissions or even more restrictive than that.
See this question's answer for more info
Server Fault Question
answered Aug 21 '17 at 23:54
lgflorentino
335
add a comment |
Here's the commands you need:
usermod -d /var/www/ sftponly
usermod -s /sbin/nologin sftponly
usermod -s /bin/false sftponly
After this best way to give permissions for any user to any folder is ACL:
setfacl -Rm "u:sftponly:rwx" /var/www/
setfacl -Rdm "u:sftponly:rwx" /var/www/
Then enjoy your life
answered Oct 2 at 13:25
Samir Ahmadli
1
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1240245%2fbad-ownership-or-modes-for-chroot-directory-var-www%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sounds like your permissions are too permissive for SFTP. You will need to create a folder for the user and let him access it with 0700 permissions or even more restrictive than that.
See this question's answer for more info
Server Fault Question
answered Aug 21 '17 at 23:54
lgflorentino
335
add a comment |
Sounds like your permissions are too permissive for SFTP. You will need to create a folder for the user and let him access it with 0700 permissions or even more restrictive than that.
See this question's answer for more info
Server Fault Question
answered Aug 21 '17 at 23:54
lgflorentino
335
add a comment |
Sounds like your permissions are too permissive for SFTP. You will need to create a folder for the user and let him access it with 0700 permissions or even more restrictive than that.
See this question's answer for more info
Server Fault Question
answered Aug 21 '17 at 23:54
lgflorentino
335
Sounds like your permissions are too permissive for SFTP. You will need to create a folder for the user and let him access it with 0700 permissions or even more restrictive than that.
See this question's answer for more info
Server Fault Question
answered Aug 21 '17 at 23:54
lgflorentino
335
answered Aug 21 '17 at 23:54
lgflorentino
335
answered Aug 21 '17 at 23:54
lgflorentino
335
answered Aug 21 '17 at 23:54
lgflorentino
335
335
add a comment |
add a comment |
Here's the commands you need:
usermod -d /var/www/ sftponly
usermod -s /sbin/nologin sftponly
usermod -s /bin/false sftponly
After this best way to give permissions for any user to any folder is ACL:
setfacl -Rm "u:sftponly:rwx" /var/www/
setfacl -Rdm "u:sftponly:rwx" /var/www/
Then enjoy your life
answered Oct 2 at 13:25
Samir Ahmadli
1
add a comment |
Here's the commands you need:
usermod -d /var/www/ sftponly
usermod -s /sbin/nologin sftponly
usermod -s /bin/false sftponly
After this best way to give permissions for any user to any folder is ACL:
setfacl -Rm "u:sftponly:rwx" /var/www/
setfacl -Rdm "u:sftponly:rwx" /var/www/
Then enjoy your life
answered Oct 2 at 13:25
Samir Ahmadli
1
add a comment |
Here's the commands you need:
usermod -d /var/www/ sftponly
usermod -s /sbin/nologin sftponly
usermod -s /bin/false sftponly
After this best way to give permissions for any user to any folder is ACL:
setfacl -Rm "u:sftponly:rwx" /var/www/
setfacl -Rdm "u:sftponly:rwx" /var/www/
Then enjoy your life
answered Oct 2 at 13:25
Samir Ahmadli
1
Here's the commands you need:
usermod -d /var/www/ sftponly
usermod -s /sbin/nologin sftponly
usermod -s /bin/false sftponly
After this best way to give permissions for any user to any folder is ACL:
setfacl -Rm "u:sftponly:rwx" /var/www/
setfacl -Rdm "u:sftponly:rwx" /var/www/
Then enjoy your life
answered Oct 2 at 13:25
Samir Ahmadli
1
answered Oct 2 at 13:25
Samir Ahmadli
1
answered Oct 2 at 13:25
Samir Ahmadli
1
answered Oct 2 at 13:25
Samir Ahmadli
1
1
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1240245%2fbad-ownership-or-modes-for-chroot-directory-var-www%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Anyone has a suggestion? I have been trying for hours to fix this issue but no luck? I created a new dir inside
/var/wwwbut it has the same issue. Even if I give 777 permission on/var/wwwthen I cannot connect to SFTP. It will only connect if/var/www/has 755 permission but then it won't let me delete, rename etc.– Frank Martin
Aug 12 '17 at 16:02
sftponly probably have less permissions on child files and directories, then on /var/www itself. If changing modes recursively is an option, that's your next step:
chmod -R 775 /var/www.– doriclazar
Aug 12 '17 at 16:34
I have already done this and it didn't solve the problem. Even if I give full permissions 777, I cannot connect.
– Frank Martin
Aug 12 '17 at 18:11
Frank, you don't need other users to have full permissions (777), you need users of
sftponlygroup to have read, write, and optional - to execute all enclosed files and folders. You achieve that by:chmod -R 775 /var/www, and by making this group owner of child files and directories:chown -R root:sftponly /var/www.– doriclazar
Aug 13 '17 at 15:08
1
Possible duplicate of openSSH connection reset by peer
– Jakuje
Aug 13 '17 at 20:43