Michael Lazin on 6 Aug 2015 12:24:17 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Setting SFTP restrictions to download only, but only for certain users

The .ftpaccess is recursive, so if you put it on a directory that's served up on the web it will effect directories beneath it.  I tested this by putting it in a user's public_html directory on a debian server and attempting to transfer a file as that user via scp.  I got permission denied.  I have used ftp access files many times to limit ftp users rights but was unsure if it worked with scp too.  Apparently it does.  It does not prevent the user from connecting via ssh and deleting it however, unless it belonged to root or another user or group they don't have rights to.

On Thu, Aug 6, 2015 at 3:18 PM, brent timothy saner <brent.saner@gmail.com> wrote:
Hash: SHA512

On 08/06/2015 02:47 PM, Michael Leone wrote:
> I have a question. I have a RH server that we use for SFTP transfers
> (meaning: clients put files there for us to take out). Now, I need to
> set up some users for the exact opposite - we will put files in their
> directories for them to download, but we do *not* want them to be able
> to put files into these directories.
> And I am confused on how best to go about that. We are running OpenSSH
> 4.3p2 on the box. This is not chrooted.
> I *think* what I need to do is set their home directory permissions to
> allow read only to their ID and group.
> What I can't do is screw up the existing users sending us files. :-)
> this setup has been working fine for like 5 years.  Or not screw it up
> for the existing users, I should say - can't change anything that is
> currently working.
> So: I will be creating new users, who will be SFTP into us, each into
> their own directory, and they can only download, not upload. I see (I
> think) that I can use a "match groupname" and have SSH chroot only the
> users in that group, and while that is useful, it doesn't solve my
> problem (I don't think).
> Thoughts? Pointers?

I'd combine your idea of permissions, plus making these changes to your

let's say the dir you want the uploads to be in is /opt/upload/shared

first, make sure sshd_config has "Subsystem sftp internal-sftp".


Match Group sftpjailcell
    ChrootDirectory /opt/upload[1]
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

[1] or wherever the files are. be careful with this, however- the reason
why we choose the parent directory of our uploads dir specified above is
because every path component you specify for chrootdirectory has to be
owned as root:root, with no write ability from any other user/group. i
*think*, iirc, that read/execute is okay/may be necessary.


chown -R root:uploadusers /opt/upload/shared
find /opt/upload/shared -type f -exec chmod 664 '{}' \;
find /opt/upload/shared -type d -exec chmod 755 '{}' \;
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Michael Lazin

to gar auto estin noein te kai ennai
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug