| 1 |
On 09/29/2011 04:13 AM, Neil Bothwick wrote: |
| 2 |
> On Wed, 28 Sep 2011 19:23:30 -0700, Grant wrote: |
| 3 |
> |
| 4 |
>> For some reason I thought SFTP would provide access control but now |
| 5 |
>> I'm thinking it's just like SSH in that access control is based on |
| 6 |
>> file ownership and permissions? If that's the case, can anyone think |
| 7 |
>> of a better way to control remote access to my files than chmod/chown? |
| 8 |
> |
| 9 |
> ACLs. |
| 10 |
> |
| 11 |
|
| 12 |
We went this route once too. We had a developer ($USER) who was supposed |
| 13 |
to have access to just one subdirectory of /var/www. |
| 14 |
|
| 15 |
I took notes, assuming /etc, /root, and /usr have correct permissions: |
| 16 |
|
| 17 |
1. A group named ssh_users was created. The $USER account was |
| 18 |
added as a member of this group. |
| 19 |
|
| 20 |
2. The ssh_users group was granted the ability to traverse /var/www: |
| 21 |
|
| 22 |
setfacl -m group:ssh_users:--x /var/www |
| 23 |
|
| 24 |
This is necessary to allow the $USER user to chdir into its |
| 25 |
home directory in /var/www/$HIS_HOME_DIR. |
| 26 |
|
| 27 |
3. A default ACL was set on /var/www which will apply to each new |
| 28 |
subdirectory created within it. |
| 29 |
|
| 30 |
setfacl -d --set u::rwx,g::rx,g:ssh_users:-,o::rx /var/www |
| 31 |
|
| 32 |
This prevents members of the ssh_users group from traversing any |
| 33 |
newly-created subdirectories of /var/www. |
| 34 |
|
| 35 |
4. The default ACL described above was applied manually to each of |
| 36 |
the existing subdirectories of /var/www: |
| 37 |
|
| 38 |
setfacl -m g:ssh_users:- /var/www/* |
| 39 |
|
| 40 |
Warning: At the time of writing, there were no regular files in |
| 41 |
/var/www, so the above command makes sense. Don't blindly run it |
| 42 |
again without checking. |
| 43 |
|
| 44 |
5. The $USER user was granted full read/write/traverse permissions |
| 45 |
on its home directory and all subdirectories/files contained |
| 46 |
therein: |
| 47 |
|
| 48 |
setfacl -R -m u:$USER:rwx /var/www/$HIS_HOME_DIR |
| 49 |
|
| 50 |
6. At this point, we need to change the default ACLs of every |
| 51 |
directory within /var/www/$HIS_HOME_DIR. This is so that, when |
| 52 |
$USER creates a new file/directory somewhere beneath its home |
| 53 |
directory, it has access to the newly-created file or directory: |
| 54 |
|
| 55 |
setfacl -d -R --set u::rwx,u:$USER:rwx,g::rx,o::rx /var/www |
| 56 |
/$HIS_HOME_DIR |
| 57 |
|
| 58 |
This command sets the default ACL recursively, and is smart |
| 59 |
enough to only apply the command to directories. |
Archives