Update 12/29/2012: I just came across Stephen White’s instruction: It walked through the setting up of FTP service itself on EC2 if you haven’t done that yet. The valuable part I picked up is forbidding FTPuser to open a shell, and stopping WordPress continually asking for your FTP login details. But in the user permission setting part, he didn’t restrict the FTPuser within their home directory with chroot.
Another thing we need to take care of before going into multisite setup, is the user permission. Because the wordpress we just installed belongs to either root (my case, because I used sudo when unzip the file) or EC2-user, but we don’t want to use the root account for later on FTP handling.
My solution is to create a new user (wp_admin for example) and change the wordpress folder owner to it. To put some restriction, you can also chroot so that wp_admin are restricted within the www folder.
sudo groupadd FTPusr sudo useradd -d /var/www -M -N -g FTPusr -s /sbin/nologin wp_admin sudo passwd wp_admin sudo chown -R wp_admin:FTPusr /var/www/wordpress
Add the following lines to the end of your sshd_config:
Match Group FTPusr ChrootDirectory /var/www ForceCommand internal-sftp AllowTCPForwarding no X11Forwarding no
Restart the sshd service:
sudo service sshd restart
OR, you can chroot the user itself by using
Match User wp_admin in the sshd_config.
IMPORTANT: the httpd service owner might not be able to create the wp_config.php for you now. So go through that setup before changing the owner of the wordpress folder, or you have to manually create the wp_config.php on the server.
After all these, you can now setup the FTP in your wordpress and enjoy playing with plug-ins, themes and etc.
To stop WordPress continually asking for your FTP login details every time you update a plugin or theme, edit the wp-config.php file: You need to add the following lines after the MySQL database settings:
/** FTP Settings */ define("FTP_HOST", "YOUR_ELASTIC_IP"); define("FTP_USER", "wp_admin"); define("FTP_PASS", "YOUR_PASSWORD");
For more details on chroot, here are some useful refs:
To chroot an SFTP directory, you must
1) create an user and force root to be owner of itcd /home mkdir john useradd -d /home/john -M -N -g users john sudo chown root:root /home/john sudo chmod 755 /home/john
2) Change the subsystem location on /etc/ssh/sshd_config:#Subsystem sftp /usr/lib/openssh/sftp-server Subsystem sftp internal-sftp
and create a user section:Match User john ChrootDirectory /home/john ForceCommand internal-sftp AllowTCPForwarding no X11Forwarding no
All this pain is thanks to several security issues as detailed here. Basically the chroot directory has to be owned by root and can’t be any group-write access. Lovely. So you essentially need to turn your chroot into a holding cell and within that you can have your editable content.sudo chown root /home/bob sudo chmod go-w /home/bob sudo mkdir /home/bob/writeable sudo chown bob:sftponly /home/bob/writeable sudo chmod ug+rwX /home/bob/writeable
And bam, you can log in and write in /writeable.