Re: [PLUG] Setting SFTP restrictions to download only, but only for certain users

[Michael Leone <turgon@mike-leone.com>]

On Thu, Aug 6, 2015 at 3:18 PM, brent timothy saner
<brent.saner@gmail.com> wrote:

> I'd combine your idea of permissions, plus making these changes to your
> sshd_config.
>
> let's say the dir you want the uploads to be in is /opt/upload/shared

OK. But there might not be a shared area - I might need it per user,
rather than all users accessing a single area to download files from.

> first, make sure sshd_config has "Subsystem sftp internal-sftp".

Mine has

Subsystem  sftp  /usr/libexec/openssh/sftp-server

Presumably equivalent?

> then,
>
> Match Group sftpjailcell
>     ChrootDirectory /opt/upload[1]
>     AllowTCPForwarding no
>     X11Forwarding no
>     ForceCommand internal-sftp
>
>
> [1] or wherever the files are. be careful with this, however- the reason
> why we choose the parent directory of our uploads dir specified above is
> because every path component you specify for chrootdirectory has to be
> owned as root:root, with no write ability from any other user/group. i
> *think*, iirc, that read/execute is okay/may be necessary.

I have already decided (for other reasons) that all these users will
have their own home folders in their own directory structure - i.e.,
/Project/<userA>

> THEN:
>
> chown -R root:uploadusers /opt/upload/shared
> find /opt/upload/shared -type f -exec chmod 664 '{}' \;
> find /opt/upload/shared -type d -exec chmod 755 '{}' \;
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug