Jon Mosco on 10 May 2012 09:01:33 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] chrooting SFTP?

You might want to look into mounting the filesystem with ACL(access control list) support. 

http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/ch-acls.html



On Thu, May 10, 2012 at 11:54 AM, Michael Leone <turgon@mike-leone.com> wrote:
On Thu, May 10, 2012 at 11:35 AM, Conor Schaefer
<conor.schaefer@gmail.com> wrote:
> Use a sticky bit on to prevent deletion by anyone other than owner.

I want the exact opposite. The owner is the user, I want them not to
be able to delete, but aa different account (in the same group as the
user) to be able to delete.

> Make a
> group and add them to it for reading and writing. Populate their home dir
> with symlinks elsewhere so you can easily administrate those files, but keep
> doing so transparent to them.

Can't. The only things that can be in the home folders are the files
that are uploaded. All contents of the directory are copied and fed
into a system that I don't manage. So I can't have it copy everything
except links, etc.

>
> Use a dirmask to ensure your permissions stay constant over time.
>
> (Writing from phone, otherwise more detail and links.)
>
> On May 10, 2012 11:25 AM, "Michael Leone" <turgon@mike-leone.com> wrote:
>>
>> I'll admit to being slow today (as if today was different from any
>> other day ...). Anyways, we run a SSH server here, so that vendors can
>> send us invoices via SFTP. (at least it's encrypted, and better than
>> FTP)
>>
>> So right now they SFTP us data.
>>
>> So what would I need to do to secure this a bit more? So they they
>> couldn't move up the tree and over to other folders, for example?
>> Should I chroot it, or would that be very difficult to implement after
>> the fact, as it were?
>>
>> And as an aside, is there a way to set the security on their home
>> directories so that they can't delete files, only add them. What we do
>> is run a script (as a user who is a member of the same group as the
>> user home directory) and clear the directory every night, after
>> copying out the file. I would want that account to be able to delete
>> the files in there, but not the actual user account.
>>
>> I know how I would do that in Windows, but not in Linux.
>>
>> This would be RHEL 5.7, BTW.
>>
>> Thanks
>>
>> --
>>
>> BREAKFAST.SYS halted. Cereal port not responding.
>>
>> ___________________________________________________________________________
>> Philadelphia Linux Users Group         --
>>  http://www.phillylinux.org
>> Announcements -
>> http://lists.phillylinux.org/mailman/listinfo/plug-announce
>> General Discussion  --
>> http://lists.phillylinux.org/mailman/listinfo/plug
>
>
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --        http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
>



--

BREAKFAST.SYS halted. Cereal port not responding.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug