Setup a wordpress multisite network on AWS EC2 (4)

Update 12/29/2012: I just came across Stephen White’s instruction: It walked through the setting up of FTP service itself on EC2 if you haven’t done that yet.  The valuable part I picked up is forbidding FTPuser to open a shell, and stopping WordPress continually asking for your FTP login details. But in the user permission setting part, he didn’t restrict the FTPuser within their home directory with chroot.

Another thing we need to take care of before going into multisite setup, is the user permission. Because the wordpress we just installed belongs to either root (my case, because I used sudo when unzip the file) or EC2-user, but we don’t want to use the root account for later on FTP handling.

My solution is to create a new user (wp_admin for example) and change the wordpress folder owner to it. To put some restriction, you can also chroot so that wp_admin are restricted within the www folder.

sudo groupadd FTPusr
sudo useradd -d /var/www -M -N -g FTPusr -s /sbin/nologin wp_admin
sudo passwd wp_admin
sudo chown -R wp_admin:FTPusr /var/www/wordpress

Add the following lines to the end of your sshd_config:

Match Group FTPusr 
ChrootDirectory /var/www
ForceCommand internal-sftp
AllowTCPForwarding no
X11Forwarding no

Restart the sshd service:

sudo service sshd restart

OR, you can chroot the user itself by using Match User wp_admin in the sshd_config.

IMPORTANT: the httpd service owner might not be able to create the wp_config.php for you now. So go through that setup before changing the owner of the wordpress folder, or you have to manually create the wp_config.php on the server.

After all these, you can now setup the FTP in your wordpress and enjoy playing with plug-ins, themes and etc.

To stop WordPress continually asking for your FTP login details every time you update a plugin or theme, edit the wp-config.php file: You need to add the following lines after the MySQL database settings:

/** FTP Settings */
define("FTP_USER", "wp_admin");

For more details on chroot, here are some useful refs:


To chroot an SFTP directory, you must

1) create an user and force root to be owner of it

cd /home
mkdir john
useradd -d /home/john -M -N -g users john
sudo chown root:root /home/john
sudo chmod 755 /home/john

2) Change the subsystem location on /etc/ssh/sshd_config:

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

and create a user section:

Match User john
ChrootDirectory /home/john
ForceCommand internal-sftp
AllowTCPForwarding no
X11Forwarding no


All this pain is thanks to several security issues as detailed here. Basically the chroot directory has to be owned by root and can’t be any group-write access. Lovely. So you essentially need to turn your chroot into a holding cell and within that you can have your editable content.

sudo chown root /home/bob
sudo chmod go-w /home/bob
sudo mkdir /home/bob/writeable
sudo chown bob:sftponly /home/bob/writeable
sudo chmod ug+rwX /home/bob/writeable

And bam, you can log in and write in /writeable.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.