Michael Lazin on 6 Aug 2015 12:24:17 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Setting SFTP restrictions to download only, but only for certain users


The .ftpaccess is recursive, so if you put it on a directory that's served up on the web it will effect directories beneath it.  I tested this by putting it in a user's public_html directory on a debian server and attempting to transfer a file as that user via scp.  I got permission denied.  I have used ftp access files many times to limit ftp users rights but was unsure if it worked with scp too.  Apparently it does.  It does not prevent the user from connecting via ssh and deleting it however, unless it belonged to root or another user or group they don't have rights to.

On Thu, Aug 6, 2015 at 3:18 PM, brent timothy saner <brent.saner@gmail.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 08/06/2015 02:47 PM, Michael Leone wrote:
> I have a question. I have a RH server that we use for SFTP transfers
> (meaning: clients put files there for us to take out). Now, I need to
> set up some users for the exact opposite - we will put files in their
> directories for them to download, but we do *not* want them to be able
> to put files into these directories.
>
> And I am confused on how best to go about that. We are running OpenSSH
> 4.3p2 on the box. This is not chrooted.
>
> I *think* what I need to do is set their home directory permissions to
> allow read only to their ID and group.
>
> What I can't do is screw up the existing users sending us files. :-)
> this setup has been working fine for like 5 years.  Or not screw it up
> for the existing users, I should say - can't change anything that is
> currently working.
>
> So: I will be creating new users, who will be SFTP into us, each into
> their own directory, and they can only download, not upload. I see (I
> think) that I can use a "match groupname" and have SSH chroot only the
> users in that group, and while that is useful, it doesn't solve my
> problem (I don't think).
>
>
> Thoughts? Pointers?

I'd combine your idea of permissions, plus making these changes to your
sshd_config.

let's say the dir you want the uploads to be in is /opt/upload/shared

first, make sure sshd_config has "Subsystem sftp internal-sftp".

then,

Match Group sftpjailcell
    ChrootDirectory /opt/upload[1]
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp


[1] or wherever the files are. be careful with this, however- the reason
why we choose the parent directory of our uploads dir specified above is
because every path component you specify for chrootdirectory has to be
owned as root:root, with no write ability from any other user/group. i
*think*, iirc, that read/execute is okay/may be necessary.


THEN:

chown -R root:uploadusers /opt/upload/shared
find /opt/upload/shared -type f -exec chmod 664 '{}' \;
find /opt/upload/shared -type d -exec chmod 755 '{}' \;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJVw7LbAAoJEIwATC+TSB9rkTAP/io9mfNV1lRBUPP6MussL7xS
NtBz+nBQTkz7eXaXz+DaNq0W1PeJl1MlKWIlpEiP9JWbU6RU5URPFWI4gaUuj0Pf
BN1Jq2XgJtZ1TVUJYXPesUJq8XIWY6/37ALcVYtRgI+fxCf0PrFK7Qphz0mDtuig
uvTrTmzF5gk1fUGuy35tC7z7W43VFZZI7eWz7XfpPZH4rXeSop5j3UEgXBUYRbj1
Pq6C3Bx52Fc76xfTBElHNk0vTC4bM+fWbaLSStMl1Go7KckitaIsfiEAeyZ0vm9n
INNoQcBvjP/ZTJdhKPydiXzFFJ1p5E+rXH+szOk1AYKDvIrGn4C03QF4ntbQZ6Ib
awRmFDT1UkUq/Riu2fdxEQB6uRXS2yJuZbD52ijfZUKPvZpJRdaDUx5JAung1v49
P3TBHEwg72R7274MRo8bLt/xKanNH4zPiAWMMLyX5GsZpljvL4108HZcAH/FidJU
lVTq5nhpt2HIulU9xvWXYygFW0fNWtr86UZTgnX70zRgPdMU+AEvH5y3+dYP9Dba
GhdTd8V7YqHxWD0pFqDHVQXKcTROUBf66DqZ62Gww5El5Sl1cbmvwzsxCGFpdY1i
ekhuyNnoj6qzVuN2jEpZh43MrqzwXGRKm6j5jfE7sD//0W/LsLsbbqwW/0cvobII
9G8VMWVYBtwng/zgF9RB
=oej/
-----END PGP SIGNATURE-----
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug



--
Michael Lazin

to gar auto estin noein te kai ennai
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug