Bind mounts in Linux allow you to mount one part of the file hierarchy somewhere else. I highly recommend using bind mounts in chrooted environment as it can simplify user access control.

Creating Bind Mounts

Bind mounts were added in kernel 2.4.0, so older systems will not support it. Run uname -r to verify your kernel version. As long as bind mounts are supported on your system, you can use the following examples to set one up.

Adding a Read/Write Bind Mount

mount --bind /olddir /newdir

Make it Persistent

cat >> /etc/fstab << EOF

/olddir /newdir none bind

EOF

Adding a Read-Only Bind Mount

mount --bind /olddir /newdir

mount -o remount,ro,bind /newdir

Make it Persistent

cat >> /etc/fstab << EOF

/olddir /newdir none bind

/newdir /newdir none remount,ro,bind

EOF

NOTE: A lot of people like to make mounts persistent by running tail -n1 /etc/mtab >> /etc/fstab , however this method may not always format bind mounts properly in /etc/fstab!

Bind Mounts in chrooted Environments

Using the above techniques allow you to easily grant and revoke access for different websites to chrooted FTP/SFTP user(s). To accomplish this you would need to have a group dedicated to your chrooted users, change your websites’ group owner, and expand the website group permissions where necessary.

To illustrate this lets configure a test environment. Read this if you need to configure the chroot portion.

This will be our chrooted group:

groupadd sftponly

This will be our chrooted user:

useradd -s /bin/false -G sftponly -d /home/bob bob

And here are our 3 websites:

mkdir -p /var/www/vhosts/WEBSITE{1,2,3}

We will set the group ownership of the websites to sftponly so that chrooted users, when granted access, can work with the files:

chown -R :sftponly /var/www/vhosts/WEBSITE{1,2,3}

We should also set the Set Group ID (SGID) on the website directories so that any newly created content will have the proper group ownership:

find /var/www/vhosts/WEBSITE{1,2,3} -type d -exec chmod g+s {} \;

With our environment configured, we can grant bob access to any of the sites by creating a subdirectory in /home/bob and bind mounting the website directory to it.

mkdir /home/bob/WEBSITE1

mount --bind /var/www/vhosts/WEBSITE1 /home/bob/WEBSITE1

And to revoke access:

umount /home/bob/WEBSITE1

It’s that easy!

Troubleshooting

If you are receiving “Permission denied” errors, be sure to verify the permissions of “other” on /home/bob/ and the permissions of “group” on /var/www/vhosts/WEBSITE{1,2,3}.

------