In the remote box:
create a user not member to any group that has a shell and don't assign a 
password, but configure ~/.ssh/authorized_keys2 to login remotely. 

chown -R www-data.${MY_NEW_USER} /PATH/TO/FILES/I/WANT/TO/EDIT/
find /PATH/TO/FILES/I/WANT/TO/EDIT/ -type d -exec chmod 770 "{}" \;
find /PATH/TO/FILES/I/WANT/TO/EDIT/ -type f -exec chmod 440 "{}" \; 

You could also configure www-data with ssh-keys and add/remove a shell in a 
blink.
You'll need to ssh as root, which either is not allowed by 
/etc/ssh/sshd_config (and you want it like that) or doesn't have a password 
(which you also want it like that)
The solution again is ssh keys and configure /etc/ssh/sshd_config with:
PermitRootLogin without-password 

Now you can:
ssh root@remotebox 'usermod -s/bin/rbash www-data'
sftp as www-data and, immediately after log in (sftp will keep working)
ssh root@localhost 'usermod -s/bin/false www-data'
Free advice, can't sue me...   :)
ET 

 

techlists@phpcoderusa.com writes: 

> Hi,  
> 
> I am running Ubuntu 16.04 on a test server.  I'd like to understand
> ownership for virtual hosts.  I assume www-data:www-data so the files
> can be edited by PHP such as WordPress being able to upload or upgrade
> themes and plugins.  Is this correct?  
> 
> I would also like to do some remote editing using SFTP.  Some say to add
> a password and shell to www-data so the editor can connect as www-data. 
> This seems like a security issue.  
> 
> The other solution i;m seeing is to make the owner:group $USER:$USER -
> which makes the files owned by the SFTP user which seems not secure and
> I'm figuring WordPress will not be able to edit it's own files.  
> 
> What is the appropriate way?  
> 
> Thanks in advance.  
> 
> Keith
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss