If you are running a Debian Linux webserver you may want to create users that can upload and download files from specific directories via SFTP. This post will explain how to set this up. First you need to create a user. If you want to create a user with the name 'webdev' then login as root and use the following commands at the prompt.
useradd webdev
Now you want to set the password for the new user 'webdev'
passwd webdev
Now we can create a home directory with the following commands.
mkdir /home/webdev
chown webdev:users /home/webdev
Now we only want this user to be able to login to the server via SFTP. We can do this by changing the users shell to sftp-server.
usermod -s /usr/lib/sftp-server webdev
Next we need to make the sftp-server a valid shell by adding the line "/usr/lib/stfp-server" at the end of the file shells in the etc directory.
By default, a new user will be assigned to a new group with the same name as the new user. So in our case the user 'webdev' will belong to the group 'webdev'. In order to make our new user the owner of any other directory including sub-directories (such as the website document root) we can execute the following command.
chown -R webdev:webdev /var/www
So now the new user webdev will be able to login va SFTP and have owner permissions to their home directory as well the webserver document root directory.
References: The following page has more useful information about managing groups and users in Linux.
Further Restrictions
In the example above we made the directory that holds the website belong to the group "webdev". If you have other users on the system that you do not want to have access to the website data then it could be wise to assign the www directory to the group "www-data" and remove read access for other system users to the directory www.
This is in order to limit access from users except the web server that runs under the user www-data.
For example:
usermod -a -G www-data webdev
usermod -g www-data webdev
chown -R :www-data /var/www
chmod -R o-r /var/www
By doing the above, we have added the user webdev to the group www-data (the same user that Apache normally runs as). Then we make www-data the default group for the user webdev, whereafter we make the www directory belong to the www-data group and set the permissions such that the files in that directory are group-readable but not world-readable.