Specific user account for Apache in the /var/www directory
Solution 1
You do not need a new user just ensure the group is always www-data. You chmod the actual dir to have the setgid bit, and all new files created under it will have the www-data group.
So, to make sure if you need to place files there with your user, that it keeps the right group, run, and chmod to set the setGID of the directory.
sudo chgrp www-data /var/www
sudo chmod +g /var/www
http://blog.superuser.com/2011/04/22/linux-permissions-demystified/
As for the user, after creating the user (as nkts suggests) where M is for not creating the home dir, and the N option is for not creating the default group identical to the user.
sudo useradd -d /var/www/ -g www-data -M -N -s /sbin/nologin user
I would setup it to SFTP instead of FISH as it is more secure, reliable, and very flexible. You also have to chroot it to his home to make sure he has no access to the rest of the file system, and restrict it to internal-sftp. Add to /etc/ssh/sshd_config
Match User user
ChrootDirectory /var/www
ForceCommand internal-sftp
Note: FISH is more an archaic curiosity and a shell that was used before SFTP.
If you still want to use FISH in Ubuntu:
sudo apt-add-repository ppa:fish-shell/release-2
sudo apt-get update
sudo apt-get install fish
And then change the shell of the user
chsh -s /usr/bin/fish
We also have again to force the shell in /etc/ssh/sshd_config
Match User user
ForceCommand /usr/bin/fish
This article will also help you with FISH
https://hackercodex.com/guide/install-fish-shell-mac-ubuntu/
The restriction to the homedir with fish should be possible, but more complicated to setup, and difficult to enforce as it would be easier if the owner of /var/www is www-data.
To setup such restriction, you would need at least to copy /usr/bin/fish to inside /var/www (which is not a good idea), and for /var/www and /usr/bin/fish to be owned by root (which also invalidates the recommendation of changing the setGID of the /var/www directory.
As mentioned previously, SFTP is a more modern and more secure way to setup a remote file-only access than FISH.
Solution 2
You can create new user with following command (I assume you're on RHEL compatible distribution):
# useradd -d /var/www/ -g www-data -M -N -s /sbin/nologin user
I have no idea which application is providing access via fish protocol.
Related videos on Youtube
Designs Edge
Updated on September 18, 2022Comments
-
Designs Edge over 1 year
I will explain as best I can. On my previous server my friend set up a user called webslave.
This user's home directory was /var/www. When I would use FISH protocol to transfer files (using Krusader) user was logged in as webslave@host.
When this user made changes, the group was always intact www-data, for example.
On my new server, I use my username name@host and often the files are owned by me and my group.
I would like to add a user as described above that has www-data as it's primary group and no access outside /var/www.
Just want to make sure I do this the right way.
Glad to clarify - All help appreciated - Thanks in advance!
-
Designs Edge over 8 yearsNote, my key access accessed the user.
-
-
Rui F Ribeiro over 8 yearsFISH works via SSH en.wikipedia.org/wiki/Files_transferred_over_shell_protocol and shell limits in passwd over SSH cannot be enforced securely. i.e. there are ways to easily bypass them.
-
Designs Edge over 8 yearsThanks a lot, somehow missed this functionality - why I love Linux, learn something new and useful every day. I have also started connecting with only SFTP. (Fish was shown to me by my friend as an example).
-
Rui F Ribeiro over 8 yearsGlad to know. Have a look at mod_evasive too.