sftp user as superuser

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

sftp user as superuser

Alfredo De Luca
Hi all.
We have an sftp server with many users (sftp only) chrooted on their directory. Those users are connected to  an IDM (freeIPA).

All ok except one of those users need full access (rwx)  on all the others users home directory. 
We tried with setfacll but I wasn't able to do what I wanna do...as there are other users (local) need access ssh and the setfacl breaks the .ssh/authorized_keys. 
Any idea/clue how to do this? 


Cheers

--
Alfredo


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: sftp user as superuser

Karl Auer
On Thu, 2018-06-21 at 14:38 +0200, Alfredo De Luca wrote:
> We have an sftp server with many users (sftp only) chrooted on their
> directory. Those users are connected to  an IDM (freeIPA).

Sounds normal.

> All ok except one of those users need full access (rwx)  on all the
> others users home directory.

My immediate reaction is "no, they don't". I am struggling to see why
this would ever be the case. That said, however:

> We tried with setfacll but I wasn't able to do what I wanna do...as
> there are other users (local) need access ssh and the setfacl breaks
> the .ssh/authorized_keys.

Do you REALLY want to give this special user open access to everything
in people's home directories? It sounds wrong.

> Any idea/clue how to do this?

Yes - don't do it.

If you must do it, then create a special group, change the group
ownership to that group for just the directories and files you need
this user to access (i.e. NOT ~/.ssh), and put just this special user
in your special group. Set the setguid bit on all directories the
special user requires access to, so that new files will get the same
ownership as the directory. You may need a script to do this if the
number of users is more than a few. You will have to make the special
user's chroot directory the /home directory or higher.

Then email all users to warn them that this user can see, edit and even
delete anything they put in their home directories.

Regards, K.

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer ([hidden email])
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: A0CD 28F0 10BE FC21 C57C 67C1 19A6 83A4 9B0B 1D75
Old fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A



--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: sftp user as superuser

Alfredo De Luca
Thanks Karl.
I ll try that.... anyway it's not wrong as all the users upload stuff online ...and this user (a sort of back office user) needs to move stuff around.

That's all.


Thanks and I ll give it a try soon

Thanks


On Thu, Jun 21, 2018 at 3:38 PM Karl Auer <[hidden email]> wrote:
On Thu, 2018-06-21 at 14:38 +0200, Alfredo De Luca wrote:
> We have an sftp server with many users (sftp only) chrooted on their
> directory. Those users are connected to  an IDM (freeIPA).

Sounds normal.

> All ok except one of those users need full access (rwx)  on all the
> others users home directory.

My immediate reaction is "no, they don't". I am struggling to see why
this would ever be the case. That said, however:

> We tried with setfacll but I wasn't able to do what I wanna do...as
> there are other users (local) need access ssh and the setfacl breaks
> the .ssh/authorized_keys.

Do you REALLY want to give this special user open access to everything
in people's home directories? It sounds wrong.

> Any idea/clue how to do this?

Yes - don't do it.

If you must do it, then create a special group, change the group
ownership to that group for just the directories and files you need
this user to access (i.e. NOT ~/.ssh), and put just this special user
in your special group. Set the setguid bit on all directories the
special user requires access to, so that new files will get the same
ownership as the directory. You may need a script to do this if the
number of users is more than a few. You will have to make the special
user's chroot directory the /home directory or higher.

Then email all users to warn them that this user can see, edit and even
delete anything they put in their home directories.

Regards, K.

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer ([hidden email])
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: A0CD 28F0 10BE FC21 C57C 67C1 19A6 83A4 9B0B 1D75
Old fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A



--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users


--
Alfredo


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: sftp user as superuser

Karl Auer
On Thu, 2018-06-21 at 17:22 +0200, Alfredo De Luca wrote:
> I ll try that.... anyway it's not wrong as all the users upload stuff
> online ...and this user (a sort of back office user) needs to move
> stuff around.

The right way to do that is to have an upload directory, with chrooted
subdirectories for each user. Your super user can then have open access
to the topmost directory.

Sharing people's home directories is not good.

If you still want people to also be able to access their own home
directories, run a second server (on a different port) to let them do
that.

Regards, K.

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer ([hidden email])
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: A0CD 28F0 10BE FC21 C57C 67C1 19A6 83A4 9B0B 1D75
Old fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A



--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users