1 |
>>> For some reason I thought SFTP would provide access control but now |
2 |
>>> I'm thinking it's just like SSH in that access control is based on |
3 |
>>> file ownership and permissions? If that's the case, can anyone think |
4 |
>>> of a better way to control remote access to my files than chmod/chown? |
5 |
>> |
6 |
>> ACLs. |
7 |
>> |
8 |
> |
9 |
> We went this route once too. We had a developer ($USER) who was supposed |
10 |
> to have access to just one subdirectory of /var/www. |
11 |
> |
12 |
> I took notes, assuming /etc, /root, and /usr have correct permissions: |
13 |
> |
14 |
> 1. A group named ssh_users was created. The $USER account was |
15 |
> added as a member of this group. |
16 |
> |
17 |
> 2. The ssh_users group was granted the ability to traverse /var/www: |
18 |
> |
19 |
> setfacl -m group:ssh_users:--x /var/www |
20 |
> |
21 |
> This is necessary to allow the $USER user to chdir into its |
22 |
> home directory in /var/www/$HIS_HOME_DIR. |
23 |
> |
24 |
> 3. A default ACL was set on /var/www which will apply to each new |
25 |
> subdirectory created within it. |
26 |
> |
27 |
> setfacl -d --set u::rwx,g::rx,g:ssh_users:-,o::rx /var/www |
28 |
> |
29 |
> This prevents members of the ssh_users group from traversing any |
30 |
> newly-created subdirectories of /var/www. |
31 |
> |
32 |
> 4. The default ACL described above was applied manually to each of |
33 |
> the existing subdirectories of /var/www: |
34 |
> |
35 |
> setfacl -m g:ssh_users:- /var/www/* |
36 |
> |
37 |
> Warning: At the time of writing, there were no regular files in |
38 |
> /var/www, so the above command makes sense. Don't blindly run it |
39 |
> again without checking. |
40 |
> |
41 |
> 5. The $USER user was granted full read/write/traverse permissions |
42 |
> on its home directory and all subdirectories/files contained |
43 |
> therein: |
44 |
> |
45 |
> setfacl -R -m u:$USER:rwx /var/www/$HIS_HOME_DIR |
46 |
> |
47 |
> 6. At this point, we need to change the default ACLs of every |
48 |
> directory within /var/www/$HIS_HOME_DIR. This is so that, when |
49 |
> $USER creates a new file/directory somewhere beneath its home |
50 |
> directory, it has access to the newly-created file or directory: |
51 |
> |
52 |
> setfacl -d -R --set u::rwx,u:$USER:rwx,g::rx,o::rx /var/www |
53 |
> /$HIS_HOME_DIR |
54 |
> |
55 |
> This command sets the default ACL recursively, and is smart |
56 |
> enough to only apply the command to directories. |
57 |
|
58 |
Thanks for that. I haven't thought it all the way through, but if |
59 |
Unix ownership and permissions aren't granular enough and subversion's |
60 |
path-based authorization won't work, I will need to use ACLs. I think |
61 |
both subversion's path-based authorization and Unix |
62 |
ownership/permissions would be simpler to implement and maintain than |
63 |
ACLs so I'm hoping it doesn't come to that. |
64 |
|
65 |
- Grant |