Bind Mounts in Linux
Bind mounts in Linux allow you to mount one part of the file hierarchy somewhere else. I highly recommend using bind mounts in chrooted environment as it can simplify user access control.
Creating Bind Mounts
Bind mounts were added in kernel 2.4.0, so older systems will not support it. Run uname -r to verify your kernel version. As long as bind mounts are supported on your system, you can use the following examples to set one up.
Adding a Read/Write Bind Mount
mount --bind /olddir /newdir
Make it Persistent
cat >> /etc/fstab << EOF
/olddir /newdir none bind
EOF
Adding a Read-Only Bind Mount
mount --bind /olddir /newdir
mount -o remount,ro,bind /newdir
Make it Persistent
cat >> /etc/fstab << EOF
/olddir /newdir none bind
/newdir /newdir none remount,ro,bind
EOF
Note: A lot of people like to make mounts persistent by running tail -n1 /etc/mtab >> /etc/fstab, however this method may not always format bind mounts properly in /etc/fstab!
Bind Mounts in chrooted Environments
Using the above techniques allow you to easily grant and revoke access for different websites to chrooted FTP/SFTP user(s). To accomplish this you would need to have a group dedicated to your chrooted users, change your websites’ group owner, and expand the website group permissions where necessary.
To illustrate this lets configure a test environment. Read this if you need to configure the chroot portion.
This will be our chrooted group:
groupadd sftponly
This will be our chrooted user:
useradd -s /bin/false -G sftponly -d /home/bob bob
And here are our 3 websites:
mkdir -p /var/www/vhosts/WEBSITE{1,2,3}
We will set the group ownership of the websites to sftponly so that chrooted users, when granted access, can work with the files:
chown -R :sftponly /var/www/vhosts/WEBSITE{1,2,3}
We should also set the Set Group ID (SGID) on the website directories so that any newly created content will have the proper group ownership:
find /var/www/vhosts/WEBSITE{1,2,3} -type d -exec chmod g+s {} \;
With our environment configured, we can grant bob access to any of the sites by creating a subdirectory in /home/bob and bind mounting the website directory to it.
mkdir /home/bob/WEBSITE1
mount --bind /var/www/vhosts/WEBSITE1 /home/bob/WEBSITE1
And to revoke access:
umount /home/bob/WEBSITE1
It’s that easy!
Troubleshooting
If you are receiving “Permission denied” errors, be sure to verify the permissions of “other” on /home/bob/ and the permissions of “group” on /var/www/vhosts/WEBSITE{1,2,3}.