Setup permissions for SSH access to apache

maxmil · 02-23-2010, 06:33 AM

I am looking for the best way to set up permissions in the following situation.

I have a web server set up on debian. I have different web sites in /var/www.

Each web has a group of developers who each have system users and ssh access to the server.

For example i have a web site in /var/www/example.com and a group of developers in group exampledev.

I need all the users in exampledev plus the apache user (www-data) to have read write and execute permissions on all the content of the web site.

I can give the group exampledev these permissions without a problem. The problem is that when they modify or create new files (they either connect via ssh o sftp which is the same right?) they are created with their user and group rather than exampledev.

Am i going down the wrong path?

This must be a common situation but i haven't found the solution.

Can someone give me a shove in the right direction.

Thanks.

smoker · 02-23-2010, 07:06 AM

If the specific users are in examplegroup, then newgrp examplegroup changes the current group.
http://node1.yo-linux.com/cgi-bin/ma...command=newgrp

But I can't find a way to automatically apply that after login.
Maybe a login script ?

You can use ssh to restrict the groups that can log in using the line

AllowGroups <group-name>

in your sshd_config but it's unclear whether that will disallow users whose default group is their own (user = user, group = user) even though they are also members of examplegroup

You can add more than one group to AllowGroups so it is possible to test things. (Just don't lock yourself out !)

chrism01 · 02-23-2010, 07:57 PM

chmod g+s dirname

enforces ownership of all files created therein to have group owner same as group owner of dir.

smoker · 02-24-2010, 05:12 AM

Quote:

Originally Posted by chrism01

chmod g+s dirname

enforces ownership of all files created therein to have group owner same as group owner of dir.

Nice :-)

zhjim · 02-24-2010, 08:55 AM

Also take a look at ACL. They allow you to further extend the normal permission settings.

man setfacl
man getfacl

maxmil · 02-26-2010, 08:41 AM

Quote:

Originally Posted by chrism01

chmod g+s dirname

enforces ownership of all files created therein to have group owner same as group owner of dir.

Perfect. I knew that it had to be easy.

Setting up the users umask to give the group write permissions (0002) was not so easy.

There are plenty of ways to do it for ssh but for sftp i didn't find an obvious way.

I presume that pam is the correct way to go but i couldn't get it to work.

In the end i created a wrapper script that sets the users umask before invoking the sftp-server and pointed the Subsystem sftp line to this script in /etc/ssh/sshd_config.

If anyone has an cleaner way of setting up the default sftp umask on debian i would be interested to hear about it.