Michael Leone on 6 Aug 2015 11:47:51 -0700
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
[PLUG] Setting SFTP restrictions to download only, but only for certain users
- From: Michael Leone <firstname.lastname@example.org>
- To: PLUG <email@example.com>
- Subject: [PLUG] Setting SFTP restrictions to download only, but only for certain users
- Date: Thu, 6 Aug 2015 14:47:22 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mike-leone.com; s=google; h=mime-version:from:date:message-id:subject:to:content-type; bh=AEWsNhRw1dXFFey+dhagURkrADS2RiRUXn1puiJBb/4=; b=td8twVrtLXngx/YHxY8dQIrd1gGxzsmkSSueH4dZIRL7nWylE8XnNemtZlMHUEEATy TM2MwctJ10rIaR6vUgJcOXCAq2VLJE6vOaYo6KudpbQGuF7pcvJbNgNAMZWHBlcGnYPD trPbPgWuFl1I6b7vKMhhLPfW3xOwasNMvZlwY=
- Reply-to: Philadelphia Linux User's Group Discussion List <firstname.lastname@example.org>
- Sender: "plug" <email@example.com>
I have a question. I have a RH server that we use for SFTP transfers (meaning: clients put files there for us to take out). Now, I need to set up some users for the exact opposite - we will put files in their directories for them to download, but we do *not* want them to be able to put files into these directories.
And I am confused on how best to go about that. We are running OpenSSH 4.3p2 on the box. This is not chrooted.
I *think* what I need to do is set their home directory permissions to allow read only to their ID and group.
What I can't do is screw up the existing users sending us files. :-) this setup has been working fine for like 5 years. Or not screw it up for the existing users, I should say - can't change anything that is currently working.
So: I will be creating new users, who will be SFTP into us, each into their own directory, and they can only download, not upload. I see (I think) that I can use a "match groupname" and have SSH chroot only the users in that group, and while that is useful, it doesn't solve my problem (I don't think).
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug