| 1 |
>>> For some reason I thought SFTP would provide access control but now |
| 2 |
>>> I'm thinking it's just like SSH in that access control is based on |
| 3 |
>>> file ownership and permissions? If that's the case, can anyone think |
| 4 |
>>> of a better way to control remote access to my files than chmod/chown? |
| 5 |
>> |
| 6 |
>> ACLs. |
| 7 |
>> |
| 8 |
> |
| 9 |
> We went this route once too. We had a developer ($USER) who was supposed |
| 10 |
> to have access to just one subdirectory of /var/www. |
| 11 |
> |
| 12 |
> I took notes, assuming /etc, /root, and /usr have correct permissions: |
| 13 |
> |
| 14 |
> 1. A group named ssh_users was created. The $USER account was |
| 15 |
> added as a member of this group. |
| 16 |
> |
| 17 |
> 2. The ssh_users group was granted the ability to traverse /var/www: |
| 18 |
> |
| 19 |
> setfacl -m group:ssh_users:--x /var/www |
| 20 |
> |
| 21 |
> This is necessary to allow the $USER user to chdir into its |
| 22 |
> home directory in /var/www/$HIS_HOME_DIR. |
| 23 |
> |
| 24 |
> 3. A default ACL was set on /var/www which will apply to each new |
| 25 |
> subdirectory created within it. |
| 26 |
> |
| 27 |
> setfacl -d --set u::rwx,g::rx,g:ssh_users:-,o::rx /var/www |
| 28 |
> |
| 29 |
> This prevents members of the ssh_users group from traversing any |
| 30 |
> newly-created subdirectories of /var/www. |
| 31 |
> |
| 32 |
> 4. The default ACL described above was applied manually to each of |
| 33 |
> the existing subdirectories of /var/www: |
| 34 |
> |
| 35 |
> setfacl -m g:ssh_users:- /var/www/* |
| 36 |
> |
| 37 |
> Warning: At the time of writing, there were no regular files in |
| 38 |
> /var/www, so the above command makes sense. Don't blindly run it |
| 39 |
> again without checking. |
| 40 |
> |
| 41 |
> 5. The $USER user was granted full read/write/traverse permissions |
| 42 |
> on its home directory and all subdirectories/files contained |
| 43 |
> therein: |
| 44 |
> |
| 45 |
> setfacl -R -m u:$USER:rwx /var/www/$HIS_HOME_DIR |
| 46 |
> |
| 47 |
> 6. At this point, we need to change the default ACLs of every |
| 48 |
> directory within /var/www/$HIS_HOME_DIR. This is so that, when |
| 49 |
> $USER creates a new file/directory somewhere beneath its home |
| 50 |
> directory, it has access to the newly-created file or directory: |
| 51 |
> |
| 52 |
> setfacl -d -R --set u::rwx,u:$USER:rwx,g::rx,o::rx /var/www |
| 53 |
> /$HIS_HOME_DIR |
| 54 |
> |
| 55 |
> This command sets the default ACL recursively, and is smart |
| 56 |
> enough to only apply the command to directories. |
| 57 |
|
| 58 |
Thanks for that. I haven't thought it all the way through, but if |
| 59 |
Unix ownership and permissions aren't granular enough and subversion's |
| 60 |
path-based authorization won't work, I will need to use ACLs. I think |
| 61 |
both subversion's path-based authorization and Unix |
| 62 |
ownership/permissions would be simpler to implement and maintain than |
| 63 |
ACLs so I'm hoping it doesn't come to that. |
| 64 |
|
| 65 |
- Grant |
Archives