LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-10-2012, 10:44 AM   #1
efransi
LQ Newbie
 
Registered: Apr 2012
Posts: 2

Rep: Reputation: Disabled
Dropbox effect user account


Hi all , we would like to create a "dropbox" user experiance using SFTP and Ubuntu, that user can upload files to a dir but not be able to read his own uploaded files (wirte-only), we did install ubuntu and SSHD, the SSHD_CONFIG looks like below ...
The user account44 is able to upload ( read, write ) files right now to the upload directory, but I want this user to only be able put files and not seeing them afterwards .
Can someone tell me how to achieve this for the user account44 ??
Thanks,


# Package generated configuration file
# See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768 # Logging SyslogFacility AUTH LogLevel INFO # Logging SyslogFacility AUTH LogLevel INFO # Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile%h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp internal-sftp ChrootDirectory /sftp/%u X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp

#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp internal-sftp ChrootDirectory /sftp/%u X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'.
UsePAM yes



Thanks,
e
btw: I did logon with root account and then cd /sftp/account44/
and then chmod -r upload
Where upload is the directory which should have the dropbox effect , but when I ftp using account44 I cannot list the upload dir, which is good, but I cannot either write to it, getting Directory /upload: permission denied ..
What to do ?
Thanks,
e
 
Old 04-17-2012, 02:29 AM   #2
cliffordw
Member
 
Registered: Jan 2012
Location: South Africa
Posts: 481

Rep: Reputation: 179Reputation: 179
Hi there,

One approach may be to use the -u option of sftp-server to change/force the umask used for creating files. You can set this in your sshd_config file as follows:
Subsystem sftp /usr/lib/openssh/sftp-server -u 0777
(fix the path for your sftp-server executable)

Giving the user write permission to the directory will allow him/her to create new files. Setting the umask to 0777 means that once the files are created, he will have no permissions on the file (to read or overwrite).

Regarding read permissions on the directory, this only affects whether the user can list the files, not whether he can read the individual files. There should therefore not be too much harm in allowing this. Having said this, removing the directory read permissions was not fatal for me when I tested it. I could cd to the directory, and put files there. "ls" failed with "Permission denied", but didn't stop me from "put"ing a file there. Different sftp clients may handle this differently, though, particularly if you are using a GUI sftp client that wants to list the files.

I hope this helps!
 
Old 05-04-2012, 04:47 AM   #3
efransi
LQ Newbie
 
Registered: Apr 2012
Posts: 2

Original Poster
Rep: Reputation: Disabled
Hallo there ,
Many thanks for your support ... adding sftp /usr/lib/openssh/sftp-server -u 0777 will probably be activated and applied to all the users, correct me if I'm wrong .
which is somehting I want to prevent since i was to do this only for ONE test user account44, would you tell how to achieve this ?
Many thanks !
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
root account or user account arodlinux SUSE / openSUSE 3 12-23-2008 09:59 PM
Prevent user account from logging in but allow su to account DejaCpp Linux - General 4 07-26-2006 12:44 PM
User Account to Access Another Account benfaust Linux - General 2 06-28-2006 01:26 PM
system account or user account??? yenonn Linux - Newbie 6 05-10-2006 08:49 PM
is it legitimate and allowed and can be done to make another user account set uid and gid to null 0 to make another root account with different name and possibly not damage the debian system creating and using that new account BenJoBoy Linux - Newbie 12 01-29-2006 11:02 AM


All times are GMT -5. The time now is 03:49 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration