1 |
On 09/29/2011 04:13 AM, Neil Bothwick wrote: |
2 |
> On Wed, 28 Sep 2011 19:23:30 -0700, Grant wrote: |
3 |
> |
4 |
>> For some reason I thought SFTP would provide access control but now |
5 |
>> I'm thinking it's just like SSH in that access control is based on |
6 |
>> file ownership and permissions? If that's the case, can anyone think |
7 |
>> of a better way to control remote access to my files than chmod/chown? |
8 |
> |
9 |
> ACLs. |
10 |
> |
11 |
|
12 |
We went this route once too. We had a developer ($USER) who was supposed |
13 |
to have access to just one subdirectory of /var/www. |
14 |
|
15 |
I took notes, assuming /etc, /root, and /usr have correct permissions: |
16 |
|
17 |
1. A group named ssh_users was created. The $USER account was |
18 |
added as a member of this group. |
19 |
|
20 |
2. The ssh_users group was granted the ability to traverse /var/www: |
21 |
|
22 |
setfacl -m group:ssh_users:--x /var/www |
23 |
|
24 |
This is necessary to allow the $USER user to chdir into its |
25 |
home directory in /var/www/$HIS_HOME_DIR. |
26 |
|
27 |
3. A default ACL was set on /var/www which will apply to each new |
28 |
subdirectory created within it. |
29 |
|
30 |
setfacl -d --set u::rwx,g::rx,g:ssh_users:-,o::rx /var/www |
31 |
|
32 |
This prevents members of the ssh_users group from traversing any |
33 |
newly-created subdirectories of /var/www. |
34 |
|
35 |
4. The default ACL described above was applied manually to each of |
36 |
the existing subdirectories of /var/www: |
37 |
|
38 |
setfacl -m g:ssh_users:- /var/www/* |
39 |
|
40 |
Warning: At the time of writing, there were no regular files in |
41 |
/var/www, so the above command makes sense. Don't blindly run it |
42 |
again without checking. |
43 |
|
44 |
5. The $USER user was granted full read/write/traverse permissions |
45 |
on its home directory and all subdirectories/files contained |
46 |
therein: |
47 |
|
48 |
setfacl -R -m u:$USER:rwx /var/www/$HIS_HOME_DIR |
49 |
|
50 |
6. At this point, we need to change the default ACLs of every |
51 |
directory within /var/www/$HIS_HOME_DIR. This is so that, when |
52 |
$USER creates a new file/directory somewhere beneath its home |
53 |
directory, it has access to the newly-created file or directory: |
54 |
|
55 |
setfacl -d -R --set u::rwx,u:$USER:rwx,g::rx,o::rx /var/www |
56 |
/$HIS_HOME_DIR |
57 |
|
58 |
This command sets the default ACL recursively, and is smart |
59 |
enough to only apply the command to directories. |