Conor Schaefer on 10 May 2012 08:35:26 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] chrooting SFTP?


Use a sticky bit on to prevent deletion by anyone other than owner. Make a group and add them to it for reading and writing. Populate their home dir with symlinks elsewhere so you can easily administrate those files, but keep doing so transparent to them.

Use a dirmask to ensure your permissions stay constant over time.

(Writing from phone, otherwise more detail and links.)

On May 10, 2012 11:25 AM, "Michael Leone" <turgon@mike-leone.com> wrote:
I'll admit to being slow today (as if today was different from any
other day ...). Anyways, we run a SSH server here, so that vendors can
send us invoices via SFTP. (at least it's encrypted, and better than
FTP)

So right now they SFTP us data.

So what would I need to do to secure this a bit more? So they they
couldn't move up the tree and over to other folders, for example?
Should I chroot it, or would that be very difficult to implement after
the fact, as it were?

And as an aside, is there a way to set the security on their home
directories so that they can't delete files, only add them. What we do
is run a script (as a user who is a member of the same group as the
user home directory) and clear the directory every night, after
copying out the file. I would want that account to be able to delete
the files in there, but not the actual user account.

I know how I would do that in Windows, but not in Linux.

This would be RHEL 5.7, BTW.

Thanks

--

BREAKFAST.SYS halted. Cereal port not responding.
___________________________________________________________________________
Philadelphia Linux Users Group     --    Âhttp://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion Â-- Â http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug