Michael Leone on 10 May 2012 08:55:03 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] chrooting SFTP? |
On Thu, May 10, 2012 at 11:35 AM, Conor Schaefer <conor.schaefer@gmail.com> wrote: > Use a sticky bit on to prevent deletion by anyone other than owner. I want the exact opposite. The owner is the user, I want them not to be able to delete, but aa different account (in the same group as the user) to be able to delete. > Make a > group and add them to it for reading and writing. Populate their home dir > with symlinks elsewhere so you can easily administrate those files, but keep > doing so transparent to them. Can't. The only things that can be in the home folders are the files that are uploaded. All contents of the directory are copied and fed into a system that I don't manage. So I can't have it copy everything except links, etc. > > Use a dirmask to ensure your permissions stay constant over time. > > (Writing from phone, otherwise more detail and links.) > > On May 10, 2012 11:25 AM, "Michael Leone" <turgon@mike-leone.com> wrote: >> >> I'll admit to being slow today (as if today was different from any >> other day ...). Anyways, we run a SSH server here, so that vendors can >> send us invoices via SFTP. (at least it's encrypted, and better than >> FTP) >> >> So right now they SFTP us data. >> >> So what would I need to do to secure this a bit more? So they they >> couldn't move up the tree and over to other folders, for example? >> Should I chroot it, or would that be very difficult to implement after >> the fact, as it were? >> >> And as an aside, is there a way to set the security on their home >> directories so that they can't delete files, only add them. What we do >> is run a script (as a user who is a member of the same group as the >> user home directory) and clear the directory every night, after >> copying out the file. I would want that account to be able to delete >> the files in there, but not the actual user account. >> >> I know how I would do that in Windows, but not in Linux. >> >> This would be RHEL 5.7, BTW. >> >> Thanks >> >> -- >> >> BREAKFAST.SYS halted. Cereal port not responding. >> >> ___________________________________________________________________________ >> Philadelphia Linux Users Group -- >> http://www.phillylinux.org >> Announcements - >> http://lists.phillylinux.org/mailman/listinfo/plug-announce >> General Discussion -- >> http://lists.phillylinux.org/mailman/listinfo/plug > > > ___________________________________________________________________________ > Philadelphia Linux Users Group -- http://www.phillylinux.org > Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce > General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug > -- BREAKFAST.SYS halted. Cereal port not responding. ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug