sean finney on 4 May 2010 22:39:08 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] How to share write access to files via scp?...

On Tue, May 04, 2010 at 07:51:34PM -0400, Fred Stluka wrote:
> - Put all users in a group called team, set the group of the
>  directory to team, and set the SGID bit of the directory.
>  % sudo groupadd team
>  % sudo usermod -a -G team user1
>  % sudo usermod -a -G team user2
>  % sudo usermod -a -G team user3
>  % sudo chgrp team /var/share
>  % sudo chmod g+s  /var/share
>  - Good:
>    - Various users can now write new files to /var/share via scp, and
>      can overwrite existing files written there by others users IF g+w
>      bit is set on the files.
>  - Bad:
>    - When user creates file via scp, default is g-w, regardless of
> umask.  Why?

probably because there's something, somewhere else, which is changing
the umask, or the user's software (winscp, rsync, whatever) is explicitly
chmodding it later on.

>    - When user overwrites file via scp, the owner doesn't change.  Why?

probably because the software isn't creating a new file, but opening the
old one, seeking to the beginning and writing out the data.

>    - Directories created recursively via scp do not inherit the g+s
> bit.  Why?

they ought to, probably tied into the above.

> Any thoughts?  Thanks!

if you want to control umask/permissions with more of an iron fist, openssh
is pretty hard for this, since the options to chmod and set umask are built
in at the protocol (sftp) level.  at one customer i helped them set up a custom
openssh service using the sftpfilecontrol patch (
which forces you to recompile ssh yourself but removes the ability to
override umask or chmod files after they are created.  some distros (not
anything debian-like afaik) even ship this patch on by default.

alternatively you could set up an ftp+ssl service where you could have more
control (i think vsftpd lets you force this, for example, though i've never
set it up with ssl), or if remote access isn't important you can also
force perms/masks via samba.


Attachment: signature.asc
Description: Digital signature

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --