Re: [PLUG] chrooting SFTP?

Carl Johnson on 10 May 2012 09:05:29 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] chrooting SFTP?

From: Carl Johnson <cjohnson19791979@gmail.com>
To: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>, Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Subject: Re: [PLUG] chrooting SFTP?
Date: Thu, 10 May 2012 12:05:18 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=references:user-agent:in-reply-to:mime-version:content-type :content-transfer-encoding:subject:from:date:to:message-id; bh=vLgrRlyepx/W7zywg22MwXIZN1KBbAjSZIgILROCOFo=; b=0Ou80XHuCK11MVqg55n6x2YPRwsPEKnIPVbwL0Ml1BeG1VMIDf/iYRiTtfrs0bq8j5 5HdIpLybeA7C25hpVy8RHGBLXfZNpRhZF20bQoxPfvUW4JBrRLMM2/XuT7FF69y4KwoU 65jKsu3sy6zgTMZblm2teNB+q+5Hm2IuRmitcLi9/Cpln0mzch/ey0bK0qA3nLY4wFSL bGVTetuQtP9AnNxEG3LWePBht6S4ucSSDKHLGCiuU7t9p2e84gzikpf2tpL3R3gAgKfl wrLeURCMV/udDENKLmaWdcQE8kRdzAC5ncAspq53pHyDrXoeu34TCmXTw/vbYbMHliBk ex3g==
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: plug-bounces@lists.phillylinux.org
User-agent: K-9 Mail for Android

Isn't this something SELinux could handle?





Sent from my Motorola DynaTAC 8000x

Jon Mosco <jonny.mosco@gmail.com> wrote:

>You might want to look into mounting the filesystem with ACL(access
>control
>list) support.
>
>http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/ch-acls.html
>
>
>
>On Thu, May 10, 2012 at 11:54 AM, Michael Leone
><turgon@mike-leone.com>wrote:
>
>> On Thu, May 10, 2012 at 11:35 AM, Conor Schaefer
>> <conor.schaefer@gmail.com> wrote:
>> > Use a sticky bit on to prevent deletion by anyone other than owner.
>>
>> I want the exact opposite. The owner is the user, I want them not to
>> be able to delete, but aa different account (in the same group as the
>> user) to be able to delete.
>>
>> > Make a
>> > group and add them to it for reading and writing. Populate their
>home dir
>> > with symlinks elsewhere so you can easily administrate those files,
>but
>> keep
>> > doing so transparent to them.
>>
>> Can't. The only things that can be in the home folders are the files
>> that are uploaded. All contents of the directory are copied and fed
>> into a system that I don't manage. So I can't have it copy everything
>> except links, etc.
>>
>> >
>> > Use a dirmask to ensure your permissions stay constant over time.
>> >
>> > (Writing from phone, otherwise more detail and links.)
>> >
>> > On May 10, 2012 11:25 AM, "Michael Leone" <turgon@mike-leone.com>
>wrote:
>> >>
>> >> I'll admit to being slow today (as if today was different from any
>> >> other day ...). Anyways, we run a SSH server here, so that vendors
>can
>> >> send us invoices via SFTP. (at least it's encrypted, and better
>than
>> >> FTP)
>> >>
>> >> So right now they SFTP us data.
>> >>
>> >> So what would I need to do to secure this a bit more? So they they
>> >> couldn't move up the tree and over to other folders, for example?
>> >> Should I chroot it, or would that be very difficult to implement
>after
>> >> the fact, as it were?
>> >>
>> >> And as an aside, is there a way to set the security on their home
>> >> directories so that they can't delete files, only add them. What
>we do
>> >> is run a script (as a user who is a member of the same group as
>the
>> >> user home directory) and clear the directory every night, after
>> >> copying out the file. I would want that account to be able to
>delete
>> >> the files in there, but not the actual user account.
>> >>
>> >> I know how I would do that in Windows, but not in Linux.
>> >>
>> >> This would be RHEL 5.7, BTW.
>> >>
>> >> Thanks
>> >>
>> >> --
>> >>
>> >> BREAKFAST.SYS halted. Cereal port not responding.
>> >>
>> >>
>>
>___________________________________________________________________________
>> >> Philadelphia Linux Users Group         --
>> >>  http://www.phillylinux.org
>> >> Announcements -
>> >> http://lists.phillylinux.org/mailman/listinfo/plug-announce
>> >> General Discussion  --
>> >> http://lists.phillylinux.org/mailman/listinfo/plug
>> >
>> >
>> >
>>
>___________________________________________________________________________
>> > Philadelphia Linux Users Group         --
>> http://www.phillylinux.org
>> > Announcements -
>> http://lists.phillylinux.org/mailman/listinfo/plug-announce
>> > General Discussion  --
>> http://lists.phillylinux.org/mailman/listinfo/plug
>> >
>>
>>
>>
>> --
>>
>> BREAKFAST.SYS halted. Cereal port not responding.
>>
>___________________________________________________________________________
>> Philadelphia Linux Users Group         --
>> http://www.phillylinux.org
>> Announcements -
>> http://lists.phillylinux.org/mailman/listinfo/plug-announce
>> General Discussion  --
>> http://lists.phillylinux.org/mailman/listinfo/plug
>>
>___________________________________________________________________________
>Philadelphia Linux Users Group         --       
>http://www.phillylinux.org
>Announcements -
>http://lists.phillylinux.org/mailman/listinfo/plug-announce
>General Discussion  --  
>http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] chrooting SFTP?
  - From: Michael Leone <turgon@mike-leone.com>

References:
- [PLUG] chrooting SFTP?
  - From: Michael Leone <turgon@mike-leone.com>
- Re: [PLUG] chrooting SFTP?
  - From: Conor Schaefer <conor.schaefer@gmail.com>
- Re: [PLUG] chrooting SFTP?
  - From: Michael Leone <turgon@mike-leone.com>
- Re: [PLUG] chrooting SFTP?
  - From: Jon Mosco <jonny.mosco@gmail.com>

Prev by Date: Re: [PLUG] chrooting SFTP?
Next by Date: Re: [PLUG] chrooting SFTP?
Previous by thread: Re: [PLUG] chrooting SFTP?
Next by thread: Re: [PLUG] chrooting SFTP?
Index(es):
- Date
- Thread