Jon Mosco on 10 May 2012 09:27:14 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] chrooting SFTP?

You could use the ACL to not have the execute bit for the group the user is in, so he/she cant move from that directory?

On Thu, May 10, 2012 at 12:25 PM, Michael Leone <turgon@mike-leone.com> wrote:
On Thu, May 10, 2012 at 12:21 PM, Jon Mosco <jonny.mosco@gmail.com> wrote:
> Assuming that from the windows world that you were able to do this in, you
> used ACLs?

Yes, I would have the various users/groups each listed with different
ACL rights. Easiest is RO or RW, but I can limit things like directory
traversal, altho I don't think that helps me in this case.
>
>
> On Thu, May 10, 2012 at 12:21 PM, Jon Mosco <jonny.mosco@gmail.com> wrote:
>>
>> You could use the ACLs then.  Check out setfacl, and getfacl, I think it
>> will do exactly what your looking for.
>>
>> On Thu, May 10, 2012 at 12:18 PM, Michael Leone <turgon@mike-leone.com>
>> wrote:
>>>
>>> Hmmm ... my Open-SHH version is less than the 5.0 mentioned in these
>>> articles. And I don't want to/can't use upgrade the SSH past what is
>>> available for this version of SSH ...
>>>
>>> I've got "openssh-4.3p2-72.el5_7.5" and I don't know if it will do
>>> everything these links say ...
>>>
>>>
>>> On Thu, May 10, 2012 at 11:42 AM, jeff <jeffv@op.net> wrote:
>>> > On 05/10/2012 11:25 AM, Michael Leone wrote:
>>> >>
>>> >> So what would I need to do to secure this a bit more? So they they
>>> >> couldn't move up the tree and over to other folders, for example?
>>> >> Should I chroot it, or would that be very difficult to implement after
>>> >> the fact, as it were?
>>> >>
>>> >
>>> >
>>> > solderintheveins.co.uk/2011/03/ubuntu-sftp-only-account-how-to
>>> > interesting article on creating sftp-only accts
>>> >
>>> > howtoforge.com/chrooted-ssh-sftp-tutorial-debian-lenny
>>> > helped me
>>> >
>>> > don't know RH so not sure if it crosses over - good luck.
>>> >
>>> >
>>> >
>>> > ___________________________________________________________________________
>>> > Philadelphia Linux Users Group         --
>>> >  http://www.phillylinux.org
>>> > Announcements -
>>> > http://lists.phillylinux.org/mailman/listinfo/plug-announce
>>> > General Discussion  --
>>> > http://lists.phillylinux.org/mailman/listinfo/plug
>>>
>>>
>>>
>>> --
>>>
>>> BREAKFAST.SYS halted. Cereal port not responding.
>>>
>>> ___________________________________________________________________________
>>> Philadelphia Linux Users Group         --
>>>  http://www.phillylinux.org
>>> Announcements -
>>> http://lists.phillylinux.org/mailman/listinfo/plug-announce
>>> General Discussion  --
>>> http://lists.phillylinux.org/mailman/listinfo/plug
>>
>>
>
>
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --        http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
>



--

BREAKFAST.SYS halted. Cereal port not responding.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug