Re: [PLUG] Setting SFTP restrictions to download only, but only for cert

brent timothy saner on 6 Aug 2015 12:18:16 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Setting SFTP restrictions to download only, but only for certain users

From: brent timothy saner <brent.saner@gmail.com>
To: plug@lists.phillylinux.org
Subject: Re: [PLUG] Setting SFTP restrictions to download only, but only for certain users
Date: Thu, 6 Aug 2015 15:18:09 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:openpgp:message-id:date:user-agent :mime-version:in-reply-to:content-type:content-transfer-encoding; bh=jPSNPJ69kizdUZSxRTqV780waWysmpkhrCwv75is7yU=; b=TWneRDxq2hNAat6mhxFIMzp1q/jf9nyNMv8+Zu96SRJjz73Cnn00xm7xTfpNeoor6v zTbmvld7fId+BBHRv5oeHOyOuOJXkg8d0EdcAphQ0iaodGiaaghs/X39Fx1R0YgGovwR 0akm2Gt8B2HSE+6l9rGeSBrr+kZpNdzlSrl+sMaplx5GIkCBASTd+m8VnFIA0P8OBBD3 12sj5HZ4qiC0wQcoTYPitdduplihhuj+38mNl+OkaLPTZ4/NqiBr23YGghCoeGFFHsB8 dHXkUbhcRQki8jfYj0SBsUNo/uq5NtgSfAb+XtVv2BtOF/uU8aMnDUE4+54NfNFJx/rR yo3Q==
Openpgp: id=748231EBCBD808A14F5E85D28C004C2F93481F6B
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 08/06/2015 02:47 PM, Michael Leone wrote:
> I have a question. I have a RH server that we use for SFTP transfers
> (meaning: clients put files there for us to take out). Now, I need to
> set up some users for the exact opposite - we will put files in their
> directories for them to download, but we do *not* want them to be able
> to put files into these directories.
> 
> And I am confused on how best to go about that. We are running OpenSSH
> 4.3p2 on the box. This is not chrooted.
> 
> I *think* what I need to do is set their home directory permissions to
> allow read only to their ID and group.
> 
> What I can't do is screw up the existing users sending us files. :-)
> this setup has been working fine for like 5 years.  Or not screw it up
> for the existing users, I should say - can't change anything that is
> currently working.
> 
> So: I will be creating new users, who will be SFTP into us, each into
> their own directory, and they can only download, not upload. I see (I
> think) that I can use a "match groupname" and have SSH chroot only the
> users in that group, and while that is useful, it doesn't solve my
> problem (I don't think).
> 
> 
> Thoughts? Pointers?

I'd combine your idea of permissions, plus making these changes to your
sshd_config.

let's say the dir you want the uploads to be in is /opt/upload/shared

first, make sure sshd_config has "Subsystem sftp internal-sftp".

then,

Match Group sftpjailcell
    ChrootDirectory /opt/upload[1]
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp


[1] or wherever the files are. be careful with this, however- the reason
why we choose the parent directory of our uploads dir specified above is
because every path component you specify for chrootdirectory has to be
owned as root:root, with no write ability from any other user/group. i
*think*, iirc, that read/execute is okay/may be necessary.


THEN:

chown -R root:uploadusers /opt/upload/shared
find /opt/upload/shared -type f -exec chmod 664 '{}' \;
find /opt/upload/shared -type d -exec chmod 755 '{}' \;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJVw7LbAAoJEIwATC+TSB9rkTAP/io9mfNV1lRBUPP6MussL7xS
NtBz+nBQTkz7eXaXz+DaNq0W1PeJl1MlKWIlpEiP9JWbU6RU5URPFWI4gaUuj0Pf
BN1Jq2XgJtZ1TVUJYXPesUJq8XIWY6/37ALcVYtRgI+fxCf0PrFK7Qphz0mDtuig
uvTrTmzF5gk1fUGuy35tC7z7W43VFZZI7eWz7XfpPZH4rXeSop5j3UEgXBUYRbj1
Pq6C3Bx52Fc76xfTBElHNk0vTC4bM+fWbaLSStMl1Go7KckitaIsfiEAeyZ0vm9n
INNoQcBvjP/ZTJdhKPydiXzFFJ1p5E+rXH+szOk1AYKDvIrGn4C03QF4ntbQZ6Ib
awRmFDT1UkUq/Riu2fdxEQB6uRXS2yJuZbD52ijfZUKPvZpJRdaDUx5JAung1v49
P3TBHEwg72R7274MRo8bLt/xKanNH4zPiAWMMLyX5GsZpljvL4108HZcAH/FidJU
lVTq5nhpt2HIulU9xvWXYygFW0fNWtr86UZTgnX70zRgPdMU+AEvH5y3+dYP9Dba
GhdTd8V7YqHxWD0pFqDHVQXKcTROUBf66DqZ62Gww5El5Sl1cbmvwzsxCGFpdY1i
ekhuyNnoj6qzVuN2jEpZh43MrqzwXGRKm6j5jfE7sD//0W/LsLsbbqwW/0cvobII
9G8VMWVYBtwng/zgF9RB
=oej/
-----END PGP SIGNATURE-----
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] Setting SFTP restrictions to download only, but only for certain users
  - From: Michael Lazin <microlaser@gmail.com>
- Re: [PLUG] Setting SFTP restrictions to download only, but only for certain users
  - From: Michael Leone <turgon@mike-leone.com>

References:
- [PLUG] Setting SFTP restrictions to download only, but only for certain users
  - From: Michael Leone <turgon@mike-leone.com>

Prev by Date: Re: [PLUG] Setting SFTP restrictions to download only, but only for certain users
Next by Date: Re: [PLUG] Setting SFTP restrictions to download only, but only for certain users
Previous by thread: Re: [PLUG] Setting SFTP restrictions to download only, but only for certain users
Next by thread: Re: [PLUG] Setting SFTP restrictions to download only, but only for certain users
Index(es):
- Date
- Thread