Hey there, let's walk through your questions step by step based on your CentOS 7 + Git 2.16.2 setup:

Using SELinux (Yes, It's Possible) #

SELinux can absolutely help lock down your SFTP user, but it usually works alongside SSH's chroot functionality (not as a standalone solution). Here's how it fits in:

• When you set up a chroot jail for the godaddy user, SELinux might block SFTP from accessing the home directory's content by default. To fix this, ensure the directory has the correct SELinux context:

  restorecon -Rv /home/godaddy
  

• If you still run into permission issues, enable the SELinux boolean that allows SFTP access to chrooted homes:

  setsebool -P allow_sftp_full_access on
  

Note: SELinux adds an extra security layer, but you'll still need to configure SSH's chroot to restrict the user to their home directory (see the next section).

Without SELinux: SSH Chroot Jail (Most Common Approach) #

If you prefer not to use SELinux, setting up a chroot jail via SSH is the standard, reliable method. Here's exactly what to do:

1. Modify the SSH config file: Open /etc/ssh/sshd_config in your editor.
   • Replace the default SFTP subsystem line with the internal SFTP server:

     Subsystem sftp internal-sftp
     

   • Add this block at the end of the file to target the godaddy user:

     Match User godaddy
         ForceCommand internal-sftp
         ChrootDirectory /home/godaddy
         PermitTunnel no
         AllowAgentForwarding no
         AllowTcpForwarding no
         X11Forwarding no
     

2. Fix directory permissions: Chroot requires the jail directory (/home/godaddy) to be owned by root with strict permissions (no write access for others):

   chown root:root /home/godaddy
   chmod 755 /home/godaddy
   

   • Keep the httpdocs subdirectory owned by godaddy so the user can manage files there:

     chown godaddy:godaddy /home/godaddy/httpdocs
     

3. Restart SSH to apply changes:

   systemctl restart sshd
   

After this, the godaddy user won't be able to navigate outside /home/godaddy via SFTP.

Using HTTP/HTTPS for Git is a great alternative to SFTP + SSH Git—it eliminates the need for shell/SFTP access entirely, making your setup more secure for deployment. Here's how it works for your case:

1. Install required packages: On CentOS 7, install httpd and the Git HTTP backend:

   yum install httpd git
   

2. Configure your Git repository:
   • You can keep using your existing /home/godaddy/httpdocs repo with the receive.denyCurrentBranch updateInstead setting—this will still let pushes update the working directory over HTTP.
   • Alternatively, create a bare repo and set a post-receive hook to deploy files to httpdocs, but your current non-bare setup works fine.
3. Set up HTTPd for Git:
   • Add a location block in /etc/httpd/conf/httpd.conf (or a virtual host file) that points to your Git repo and uses git-http-backend.
   • Enable HTTP authentication (e.g., with htpasswd) to control who can push to the repo.
4. Update your local remote: Replace your SSH remote with an HTTPS one, like:

   git remote set-url origin https://your-server-domain/godaddy.git
   

Now you can push directly over HTTPS without needing SFTP access at all—this ties the godaddy user's access strictly to Git operations, no shell/SFTP required.

内容的提问来源于stack exchange，提问作者ronrun