WordPress SFTP into FreeBSD jail

FreeBSD jail with WordPress SFTP plugin article image

The purpose of this article is to make it easy for WordPress and its 3rd party SFTP plugin to work on a FreeBSD host where the website and web server daemon runs within a jail, but the sshd daemon runs on the host thereby causing problems that prevent the WordPress SFTP plugin from working properly. In this article we enable remote read/write access to the WordPress application to enable it to self-update, using an sftp user who is restricted from seeing or accessing the rest of host’s  filesystem. The jail configuration for WordPress significantly limits the scope of a breach should WordPress or any one of its plugins become compromised by an attacker down the road. This article assumes any modern FreeBSD version is used. The author is using FreeBSD 10 and this very likely works on earlier versions too.

We’ll start by creating a special sftp/ssh user for WordPress on the FreeBSD host.

First create a new group called “chroot”:

pw groupadd chroot

Next, create a new user such as “wordpress-larry” and ensure their primary login group is set to “chroot”. You should likely add the user to an additional, secondary group such as “www” so they can access/edit files for the website.

adduser

Run the adduser command and follow the prompts to create a new user with a STRONG password. In our case we’ll create a new user with the username “wordpress-larry”. Now let’s switch to that user and create a new SSH private/public key pair for logging in, since it’s safer to use keys than a password:

su myuser
cd ~
ssh-keygen -t rsa -b 4096

At this point we need to edit the /etc/ssh/sshd_config file to ensure the user is chroot’ed within their home directory only. The goal is to prevent a rogue user from having any access to the rest of the filesystem, we want to keep him in the protected jail. Edit the file and add a new group for chroot, like this:

nano /etc/ssh/sshd_config

  Match group          chroot
    ChrootDirectory    /home/%u
    X11Forwarding      no
    AllowTcpForwarding no
    ForceCommand       internal-sftp

One the configuration has been updated, restart the SSH daemon, sshd:

/etc/rc.d/sshd restart

The user can only navigate within their home directory thanks to the ChrootDirectory configuration. However we do need them to access part of a website with files located elsewhere, so let’s first mirror the directory structure as seen within a jailed login, so it looks like the wordpress location when the user logs in:

mkdir –p /home/myuser/wordpress

Next we’ll use a filesystem mount to mount the website’s directory into the user’s home directory using mount_nullfs, where “source” is the /full/path to the files you want to make available to the user:

mount_nullfs /path/to/wordpress/files /home/myuser/wordpress

Confirm the mount was successful then create an entry in /etc/fstab related to the above, making sure the entry is all on one line:

/path/to/wordpress/files/ /home/myuser/wordpress/ nullfs rw 0 0

For remote access, it’s critical that the user’s directory be owned by “root” and also be part of the “chroot” group, or else SSH/SFTP will not allow the user to even login:

chown –R root:chroot /home/myuser
chmod 755 /home/myuser

Finally, test the connection (using SFTP, not SSH) to make sure it’s working. Logging in manually will let you confirm that the WordPress files are there, in the user’s home directory, and so the SFTP plugin will be able to function in WordPress with the added security of only being able to see and edit files located in the website’s jail.

Done.

Leave a Reply

Your email address will not be published. Required fields are marked *