Question

2

Unable to create/edit/delete remote files after mounting them locally with SSHFS

rated 0 times [ 2] [ 0] / answers: 1 / hits: 1901 / 3 Years ago, tue, november 23, 2021, 12:08:04

I have a basic server set-up using a RaspberryPI, Ubuntu server 20.04, and Nginx. Using ssh, I can edit the files directly in the terminal, but that becomes sloppy, so I am looking for a more elegant way. Therefore - SSHFS.

Actions:

Mounting the remote volume /var/www/html to a local folder ~/Work/Server.

Opening my text editor and trying to modify and save a file.

Problem:

I receive the error Unable to save file: Permission denied

Trying to solve:

used sshfs -o allow_other - Same result

user sshfs -o allow_other,default_permissions - Same result

Solution: ???

The volume mounts with no errors, I can open and view the files. The group owner of the remote /var/www is www-data, and the user I am connecting as is part of this group.

What am I missing and how can I make this configuration to actually work?

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

stantildlike

Add To Favorites

Follow

Total Points: 363

Total Questions: 135

Total Answers: 120

Location: Pitcairn Islands

Member since Fri, Dec 17, 2021

2 Years ago

stantildlike questions

1 I accidentally deleted /usr/bin/test and now I can't update, upgrade and install packages

Thu, Feb 3, 22, 02:47, 2 Years ago

1 I want to run an old GNOME app

Fri, May 5, 23, 00:50, 1 Year ago

1 How to write complex sed query which got special char

Tue, Jun 28, 22, 13:54, 2 Years ago

1 How to stop all processes of a snap package (like Android-Studio)

Mon, Sep 6, 21, 00:17, 3 Years ago

1 How to reduce cpu max speed?

Tue, Dec 13, 22, 07:27, 1 Year ago

View All

answered 3 Years ago avilyexplor · Accepted Answer

OK a few basics, as we ran into misunderstandings:

The first level of permissions comes from the remote server: here files in /var/www are owned by www-data and group is set to the same.

By default only the owner has write access there, while the group is read-only. Thus mounting as your remoter user does not have the desired effect, as he is group member only and not www-data itself.

Best not to change ownership of /var/www as you did - this may break a few things. E.g. users would not be able to upload files to the server as nginx is ran by www-data and thus writes would be done as this user.

So how to manage your problem?

I believe the most secure way would be to mount it as user www-data. Let's go the safe route and use key-based logins only, as well as try to restrict access too the very part we need only. I'll be detailed so other users may profit as well.

Definitions:

client - your PC at home

server - the website server with the directory you want to mount

www-data - the user www-data on the server

dan - your local user on your client

Prerequisite: root-rights on server

1) If not existing, create a keypair for dan on your client

   ssh-keygen

Just go with no password. You now should now have the files id_rsa and id_rsa.pub in ~/.ssh - If you are not familiar with passwordless ssh, there is plenty of information out there.

2) Make www-data accept dan's public key for logins

www-data has /var/www as home directory. In some cases you might want to make this directory browseable. In general you would not want to put the authorized_keys-file (which is a list of accepted public keys for ssh-logins) there despite the home of a user being the standard location. Let's go for a dedicated place then; best in /etc.

On the server: Create a file /etc/www/ssh/authorized_keys (plus parent directories). Change ownership of file AND parent directory to www-data, as well as adapt permissions. This is necessary as ssh only accepts an authorized_keys file with specific permissions on the file and parent directory and ownership by the related user:

   chown -R www-data:www-data /etc/www/ssh

   chmod 700 /etc/www/ssh

   chmod 600 /etc/www/ssh/authorized_keys

Leave ownership of /etc/www with root

Now copy the content of dan's public key (on client /home/dan/.ssh/id_rsa.pub .... pub!, the other one is your secret file and never to be shared) to this file. Make sure the entry is on one line (sometimes copying may introduce newlines). Should look similar to this:

  cat /etc/www/ssh/authorized_keys

  ssh-rsa VERY+long+KEY+from+NUMBERS+and+LETTERS+covering+SEVERAL+lines dan@client

3) Adapt ssh-server for this type of connection

www-data has no shell for security reasons (see /usr/sbin/nologin from grep www /etc/passwd). We therefore need to adapt the ssh-server settings to still allow mounting directories. For security reasons, let's also change the root directory, so www-data via ssh may not escape outside /var/www, and enforce public key authentication, as well as deactivated interactively sending commands. After all a webserver sees the internet - hackers love this.

On the server: At the END of /etc/ssh/sshd_config add these lines. Note that match blocks never end until the next match block. Also note that /var/www must be owned by root (as is default) for the ChrootDirectory command to work.

Match User www-data

    AuthorizedKeysFile /etc/www/ssh/authorized_keys

    ChrootDirectory /var/www/

    ForceCommand internal-sftp

    AllowTcpForwarding no

    X11Forwarding no

    PasswordAuthentication no

(Sources: ArchWiki , ssh without shell , defining authorized keys)

Reload the config via systemctl reload ssh.

4. All done

Do the sshfs-mount as desired on the client

sshfs www-data@server:/html /homa/dan/WorkServer

Note that with the changed root directory, /var/www/html becomes /hmtl only as /var/www is now the root directory.

5. Additional hardening

If applicable: you are doing this in your workplace LAN only? Deny ssh-access to www-data globally and grant it on the network only. Before the match block in sshd_config:

 DenyUsers www-data

and put the work LAN (e.g. 192.168. block) in the match criteria:

 Match User www-data Address 192.168.