Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Is it possible to set up sftp users with varying permissions on the same filesystem. I have successfully set up an sftp system (on Amazon EC2) using OpenSSH on Debian (OpenSSH_5.5p1 Debian-6+squeeze2) and chrooting different groups of users to different directories. All works fine and people can log in and upload and download as required.
I have a new user I want to add, accessing the same files as the other users, but with read-only access and I can't find any way to do that.
Is there any way to set access permissions by user?
If not can anyone suggest a workaround (eg. readonly --bind mount which I can't quite work out how to do) to achieve what I'm after?
Why not change the permissions of the home directory an all child directories to something like...
Code:
chmod 774 /home/sharedhome
#propagate to all directories
find /home/shardhome -type d -exec chmod 774 {} \;
chmod 700 /home/sharedhome/.ssh
Then any users which are part of the group for that folder has rwx access. Make sure that your readonly user isn't the owner and not in a group with rwx. Then that user will only have read permission.
Unfortunately what I need is that the same set of directories are read/write for a group of users (eg. 5 people) and read only for another 3 users, and no access for anyone outside those groups. I don't think I can achieve that with group permissions.
The only route I see at present is to set up a readonly directory and do a readonly --bind mount of the relevant directories within that folder, and then chroot the read only users to that directory. I guess that's the only solution.
The sftp subsystem can be set to be read only using -R. See the man page for sftp-server(8) Match won't allow specifying a subsystem, so the change has to be done another way. One way would be to have two ssh systems running on the same machine but on different ports. One would be set to allow only the members of the read-write group to log in. The other would allow everyone to log in, but would put the sftp subsystem into read-only mode.
PAM with SELinux could be used for this issue. Though SELinux isn't on Ubuntu by default so you'd either have to change that or see if there's an apparmor equivalent configuration with PAM. SELinux could be used to enforce the users ability on the system and PAM can determine whether or not they're allowed to log in. For example PAM can be configured that if SELinux is set to permissive they're not allowed in but when it's enforcing they are.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
