Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have built a ubuntu server, which hosts all my media, where i have mounted my hard drives on to 3 folders (e.g. hard drive1 = moives, hard drive2 = movies2, hard drive 3 = extra files)
i want to be able to create a new user, user2, to only have access to the 'movies2' folder over ftp, but also let user1 (admin account) to have access to the same folder.
Even if the person you wish to access the directory has Windows rather than Linux they can access sftp logins by installing WinSCP on their Windows machine. (WinSCP can also access standard ftp as well.)
You make the jailed user2 home in the movies2 directory. If you jail him properly he'll see movies2 as if it were "/" while your user1 will still see it as /home/user1/movies2.
What we do here instead is create a separate subdirectory as the parent for jailed users (we have multiple) such as:
/home/restricted
We'd then jail the user under that in say /home/restricted/user2.
We then put links to that in any non-jailed directories we might want to share with e.g.
ln -s /home/restricted/user2 /home/user1/movies2
This allows user1 to write into it as if it were under his home directory. When user2 logs in he is really in /home/restricted/user2 but thinks he is in "/" so can't see anything really above him such as /home/restricted itself, /home or the real "/" (root) of the system. This is the point in doing the jailing.
About chrooted SFTP, it is easy enough to set up provided the chroot is owned by root and not writable by anyone else. So that means doing a little differently for the chrooted users' home directories.
If you have the two users' directories set up like this:
And if you have put them both in a group, such as sftponly, and chrooted with openssh-server like this:
Code:
Match Group sftponly
ChrootDirectory /home/%u
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp -d %u
Then they can only connect with SFTP and even then they only see their own directories.
Symbolic links won't work if they point to outside the chroot however. You can use a bind mount instead. If your movies are in /home/movies and /home/movies2 then you can give the access to chrooted user2 like this:
Code:
mount --bind /home/movies/ /home/user2/user2/movies
mount --bind /home/movies2/ /home/user2/user2/movies2
Thus they will show up in the user's home directory as subdirectories "movies" and "movies2"
Last edited by Turbocapitalist; 08-04-2017 at 02:12 PM.
One thing you might have seen in the mount manual page regarding the binds is that they won't persist across reboots unless you add them to /etc/fstab So if you have them the way you want, then add them to fstab so they'll still be there after a reboot.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.