# chroot and permalink



## fred974 (Jun 18, 2014)

Hello everyone,

I need to give access to my webserver to a third party supplier. I have created a chroot account and created a symbolic link to the www directory but the user is not abbe to navigate to it. (permission denied). How can I give them access and allow them to modify only a specific directory and subdirectory and still stop them from navigating to other parts of the server? 

Thank you in advance for your replies.

Note: I don't have FTP on my box.


----------



## kpa (Jun 18, 2014)

Maybe mount the shared directory with nullfs(5) to the chroot(8) enviroment?


----------



## fred974 (Jun 18, 2014)

kpa said:
			
		

> Maybe mount the shared directory with nullfs(5) to the chroot(8) enviroment?



Thank you for your suggestion. I tried it and got the following:

```
root@webjail:~ # mount_nullfs /home/wpmlrescue/ /www/webs/wedding/test/httpdocs
mount_nullfs: /www/webs/wedding/test/httpdocs: Operation not permitted
```

The chroot account was create_d_ following this guide http://bsdtutorial.org/freebsd/sftp-chroot/.


----------



## kpa (Jun 18, 2014)

It sure won't work if you do it inside the chroot. Do the mount outside the chroot, much like you would do for a jail.


----------



## fred974 (Jun 18, 2014)

kpa said:
			
		

> It sure won't work if you do it inside the chroot. Do the mount outside the chroot, much like you would do for a jail.



Sorry, my mistake. I man_a_ged to mount /www/webs/wedding/test/httpdocs inside my chroot user directory. The problem that I have now is that the chroot user can navigate to the www directory but not save any changes to the files. I added the chroot user to the www group but that didn't fix the problem.

Do you have any more suggestion, please?


----------



## junovitch@ (Jun 20, 2014)

Is the default read-only for nullfs(5) mounts?  I can't remember.  Check your `mount` output and if it says read-only then mount it again with -o rw flags.


----------



## kpa (Jun 21, 2014)

The default is read-write so the problem must be in the permissions of the shared directory.


----------

