Michael Leone on 7 Aug 2015 06:14:00 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Setting SFTP restrictions to download only, but only for certain users

OK, so I will admit that these days, I'm pretty much a Windows and
VMware admin, don't do a lot of Linux. I know how I would do it in the
other OS, so I would appreciate somebody verifying this, before I turn
it loose on my one and only SFTP server .. the concepts should be
pretty much the same.

I need the users to have a home directory where they have only
read-only access, but I - as "SupremeAdmin" user, have read-write
access, so I can leave files for the users to download via SFTP.

Here's what I am thinking:

I will eventually be using my account, "SupremeAdmin" (no, that's not
it's real name :-)). I create a structure called "/Project". I verify
that group rights are RW (the group being my "SupremeAdmin" group). So
now this directory structure is RW for me, alone.

I create new users, specifying their home directory as
"/Project/<user>". I do *not* add the user to my "SupremeAdmin" group.
I then remove their write access to their home directory (chmod u-w).

How do I get my group "SupremeAdmin" to have RW rights into
"/Project/<user>"? When I create "/Project/<user>", won't the group
attached to that directory be the group the user is in?

Will that do it? When the users connect via SFTP, they will go right
to their home directory "/Project/<user>". They will be able to get
there? They won't need R access to :/Project", to be able to access
something under "/Project"?

As for the rest, I can write a file for the user into their home
directory, and they can SFTP in and download it. But they *won't* be
able to delete said file, nor create new files (as they don't have W
access in that directory).

What am I missing, so far?
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug