Return to Answer

Warning for this section, this is only recommended if your only usage is web-hosting, apache is not meant to have access to home users folder (other suggestion at the end of the answer may be more suitable).

1. Web/Apache group (www-data group) must have all users using the service
2. Apache and the users need to have access to their respective www while limiting access between each others

Like that apache would have access to the necessary www directory and users wont have access to other users folders.

The key here is the group permission is shared between users while apache it self is a user that is not exposed to other user, for instance chown www:me /home/me keep me isolated from other user while granting access to apache and me (and chown me:www /home/me would let everyone on the group www access me folder)

This is why the default www location is under /var and not under the home directory, to let apache and the user have w/r to www without giving apache unnecessary access (like in this case access to the whole users folder)

If your home folder is only meant for www (web usage) you are fine with the current suggestion/config, now if you are using the system for additional purpose more than web hosting; then www should not reside on /home folder but on an other location like /var; in that case you would need to remove ChrootDirectory usage and instead go for a classic config where the file access would be managed only by file access permission, here is some reading about restriction to a classic user...

If you want security, separation, web hosting plus other linux/server usage for each user, you would need to implement a different solution evolving virtualisation and/or sandboxing.

The implementation depend on the targeted security level and the targeted usage. Thus one config could be great for one situation and at the same time bad for an other situation.

Your current config is not far from a classic one where instead of ChrootDirectory classic file permissions, group, and user access level would be used to manage the separation between each ssh user. i guess that you are just missing user access level on your config to achieve that. Here are some details on how to implement that here, here and here (that said using ChrootDirectory in addition to that is a good security practice)

First PermitRootLogin yes should never be used, instead add me user to the suders... Root will then be accessible through me user with sudo su or su

If you are targeting a hardened security, Kernel user space feature can be used, which will separate completely each users but this is a whole other config, this can be achieved with the native linux tools and/or firejail to separate files/network etc.

Also here are some interesting link on the topic

• SSH as a normal user
• Kernel userpace
• Sandboxing in linux

Finally regarding your config i would just suggest

Warning for this section, this is only recommended if your only usage is web-hosting, apache is not meant to have access to home user's folder (other suggestion at the end of the answer may be more suitable).

1. Web/Apache group (www-data group) must have all users using the service
2. Apache and the users need to have access to their respective www while limiting access between each other

Like that, apache would have access to the necessary www directory and users won't have access to other users folders.

The key here is the group permission is shared between users while apache itself is a user that is not exposed to other user, for instance chown www:me /home/me keep me isolated from other user while granting access to apache and me (and chown me:www /home/me would let everyone on the group www access me folder)

This is why the default www location is under /var and not under the home directory, to let apache and the user have w/r to www without giving apache unnecessary access (like in this case access to the whole user's folder)

If your home folder is only meant for www (web usage) you are fine with the current suggestion/config, now if you are using the system for additional purpose more than web hosting; then www should not reside on /home folder but on another location like /var; in that case you would need to remove ChrootDirectory usage and instead go for a classic config where the file access would be managed only by file access permission, here is some reading about restriction to a classic user...

If you want security, separation, web hosting plus other Linux/server usage for each user, you would need to implement a different solution evolving virtualisation and/or sandboxing.

The implementation depends on the targeted security level and the targeted usage. Thus one config could be great for one situation and at the same time bad for another situation.

Your current config is not far from a classic one where instead of ChrootDirectory classic file permissions, group, and user access level would be used to manage the separation between each ssh user. I guess that you are just missing user access level on your config to achieve that. Here are some details on how to implement that here, here and here (that said using ChrootDirectory in addition to that is a good security practice)

First PermitRootLogin yes should never be used, instead add me user to the suders. Root will then be accessible through me user with sudo su or su

If you are targeting a hardened security, Kernel user space feature can be used, which will separate completely each user, but this is a whole other config. This can be achieved with the native Linux tools and/or firejail to separate files/network etc.

Also here are some interesting link on the topic:

• SSH as a normal user
• Kernel userpace
• Sandboxing in Linux

Finally, regarding your config I would just suggest

The directory www need to be present in a location that belong to apache (www-data user) in your current config setting /home/me to www-data:me or /home to www-data:root is a workaround because you are locating www inside the user directory.

The key here is the group permission is shared between users while apache it self is a user that is not exposed to other user, for instance chown www:me /home/me keep me isolated from other user while granting access to apache and me (and chown me:www /home/me would let everyone on the group www access me folder)

The directory www need to be present in a location that belong to apache (www-data user) in your current config setting /home/me to www-data:me or /home to www-data:root is a workaround because you are locating www inside the user directory.

• Each directory under /home should have www-data:user rights
• Or make /home belong to apache chown www-data:root /home

        chown www-data:me /home/me
        #or
        chown www-data:root /home

• Each directory under /home should have www-data:user rights

        chown www-data:me /home/me

OR

1. Web/Apache group (www-data group) must have all users using the service
2. Apache and the users need to have access to their respective www while limiting access between each others

• Home user's folder should have the right chown me:me /home/me
• Make /home belong to apache chown www-data:root /home