Hi all , we would like to create a "dropbox" user experiance using SFTP and Ubuntu, that user can upload files to a dir but not be able to read his own uploaded files (wirte-only), we did install ubuntu and SSHD, the SSHD_CONFIG looks like below ...
The user account44 is able to upload ( read, write ) files right now to the upload directory, but I want this user to only be able put files and not seeing them afterwards .
Can someone tell me how to achieve this for the user account44 ??
Thanks,


# Package generated configuration file
# See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768 # Logging SyslogFacility AUTH LogLevel INFO # Logging SyslogFacility AUTH LogLevel INFO # Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile%h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp internal-sftp ChrootDirectory /sftp/%u X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp

#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp internal-sftp ChrootDirectory /sftp/%u X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'.
UsePAM yes



Thanks,
e
btw: I did logon with root account and then cd /sftp/account44/
and then chmod -r upload
Where upload is the directory which should have the dropbox effect , but when I ftp using account44 I cannot list the upload dir, which is good, but I cannot either write to it, getting Directory /upload: permission denied ..
What to do ?
Thanks,
e

Hi there,

One approach may be to use the -u option of sftp-server to change/force the umask used for creating files. You can set this in your sshd_config file as follows:
Subsystem sftp /usr/lib/openssh/sftp-server -u 0777
(fix the path for your sftp-server executable)

Giving the user write permission to the directory will allow him/her to create new files. Setting the umask to 0777 means that once the files are created, he will have no permissions on the file (to read or overwrite).

Regarding read permissions on the directory, this only affects whether the user can list the files, not whether he can read the individual files. There should therefore not be too much harm in allowing this. Having said this, removing the directory read permissions was not fatal for me when I tested it. I could cd to the directory, and put files there. "ls" failed with "Permission denied", but didn't stop me from "put"ing a file there. Different sftp clients may handle this differently, though, particularly if you are using a GUI sftp client that wants to list the files.

I hope this helps!

Hallo there ,
Many thanks for your support ... adding sftp /usr/lib/openssh/sftp-server -u 0777 will probably be activated and applied to all the users, correct me if I'm wrong .
which is somehting I want to prevent since i was to do this only for ONE test user account44, would you tell how to achieve this ?
Many thanks !