brent timothy saner on 6 Aug 2015 12:18:16 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Setting SFTP restrictions to download only, but only for certain users


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 08/06/2015 02:47 PM, Michael Leone wrote:
> I have a question. I have a RH server that we use for SFTP transfers
> (meaning: clients put files there for us to take out). Now, I need to
> set up some users for the exact opposite - we will put files in their
> directories for them to download, but we do *not* want them to be able
> to put files into these directories.
> 
> And I am confused on how best to go about that. We are running OpenSSH
> 4.3p2 on the box. This is not chrooted.
> 
> I *think* what I need to do is set their home directory permissions to
> allow read only to their ID and group.
> 
> What I can't do is screw up the existing users sending us files. :-)
> this setup has been working fine for like 5 years.  Or not screw it up
> for the existing users, I should say - can't change anything that is
> currently working.
> 
> So: I will be creating new users, who will be SFTP into us, each into
> their own directory, and they can only download, not upload. I see (I
> think) that I can use a "match groupname" and have SSH chroot only the
> users in that group, and while that is useful, it doesn't solve my
> problem (I don't think).
> 
> 
> Thoughts? Pointers?

I'd combine your idea of permissions, plus making these changes to your
sshd_config.

let's say the dir you want the uploads to be in is /opt/upload/shared

first, make sure sshd_config has "Subsystem sftp internal-sftp".

then,

Match Group sftpjailcell
    ChrootDirectory /opt/upload[1]
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp


[1] or wherever the files are. be careful with this, however- the reason
why we choose the parent directory of our uploads dir specified above is
because every path component you specify for chrootdirectory has to be
owned as root:root, with no write ability from any other user/group. i
*think*, iirc, that read/execute is okay/may be necessary.


THEN:

chown -R root:uploadusers /opt/upload/shared
find /opt/upload/shared -type f -exec chmod 664 '{}' \;
find /opt/upload/shared -type d -exec chmod 755 '{}' \;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJVw7LbAAoJEIwATC+TSB9rkTAP/io9mfNV1lRBUPP6MussL7xS
NtBz+nBQTkz7eXaXz+DaNq0W1PeJl1MlKWIlpEiP9JWbU6RU5URPFWI4gaUuj0Pf
BN1Jq2XgJtZ1TVUJYXPesUJq8XIWY6/37ALcVYtRgI+fxCf0PrFK7Qphz0mDtuig
uvTrTmzF5gk1fUGuy35tC7z7W43VFZZI7eWz7XfpPZH4rXeSop5j3UEgXBUYRbj1
Pq6C3Bx52Fc76xfTBElHNk0vTC4bM+fWbaLSStMl1Go7KckitaIsfiEAeyZ0vm9n
INNoQcBvjP/ZTJdhKPydiXzFFJ1p5E+rXH+szOk1AYKDvIrGn4C03QF4ntbQZ6Ib
awRmFDT1UkUq/Riu2fdxEQB6uRXS2yJuZbD52ijfZUKPvZpJRdaDUx5JAung1v49
P3TBHEwg72R7274MRo8bLt/xKanNH4zPiAWMMLyX5GsZpljvL4108HZcAH/FidJU
lVTq5nhpt2HIulU9xvWXYygFW0fNWtr86UZTgnX70zRgPdMU+AEvH5y3+dYP9Dba
GhdTd8V7YqHxWD0pFqDHVQXKcTROUBf66DqZ62Gww5El5Sl1cbmvwzsxCGFpdY1i
ekhuyNnoj6qzVuN2jEpZh43MrqzwXGRKm6j5jfE7sD//0W/LsLsbbqwW/0cvobII
9G8VMWVYBtwng/zgF9RB
=oej/
-----END PGP SIGNATURE-----
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug