[How to SFTP with chroot jail with proftpd]

i have managed to setup froxlor with working FTP and SFTP in parallel.

My /etc/proftpd/sftp.conf 

<IfModule mod_sftp.c>
<VirtualHost 0.0.0.0 fe80::1>
    SFTPEngine on
    SFTPLog /var/log/proftpd/sftp.log
    SFTPHostKey /etc/ssh/ssh_host_ecdsa_key
    SFTPHostKey /etc/ssh/ssh_host_rsa_key
    Port 2222
    AllowOverwrite on
    DefaultRoot /var/customers/webs
</VirtualHost>
</IfModule>

my /etc/ssh/sshd_config contains

# override default of no subsystems - chagned by tg
# Subsystem     sftp    /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp

Match User testkunde2
    ChrootDirectory /var/customers/webs
    ForceCommand internal-sftp
    AllowTCPForwarding no
    X11Forwarding no

 

This is working ritght now. User testkunde2 is jailed in /var/customers/webs

 

But what i need is a multi user solution.

Question 1: how i could express the match expression for all froxlor users?

I´ve tried 

Match Group www-data
    ChrootDirectory /var/customers/webs
    ForceCommand internal-sftp
    AllowTCPForwarding no
    X11Forwarding no

which don´t match for any reason. As result user is not jailed in any way and have reading root dir access.

User looks like 

getent passwd testkunde2
testkunde2:x:10001:10001:th gr:/var/customers/webs/testkunde2/:/bin/sh

 

Question 2: chroot is only working if dir is owned by root but froxlor home dirs are owned by user. How could this be managed?

This is a question about my personal understanding from froxlor / ssh / sftp. Froxlor home dirs are owned by it´s users. Is there any solution to integrate SFTP user jails for the homedirs of the users?

 

Thank´s to all in advance!