2

I want to setup a jailed SFTP account for a subfolder of another user's home folder, but want the owner of everything in that subfolder to stay the same, including new files and folders uploaded and created by the sftp user, while still allowing access to the files and folders of that subfolder as if the SFTP user was the parent user.

rawny bawb-sftp /home/rawny <- rawny owns this /home/rawny/sftp <- rawny owns this too, but bawb-sftp can upload to it, edit files, etc

bawb-sftp uploads a file /home/rawny/sftp/lol.txt rawny should still own the file, as if he made it in the first place, even though bawb-sftp was the one that uploaded it.

Basically I guess I'm asking for an sftp jail that acts as a highly limited passthrough/puppet for another user?

Dragonshadow
  • 23
  • 1
  • 4

1 Answers1

1

Assuming Linux, using a group is one way to go here. Create a group containing both rawny and bawb-sftp, and use chgrp thatgroup /home/rawny/sftp (assuming starting with an empty directory, add an -R for recursive otherwise).

Next, set both suid and sgid bits on the directory, and give both user and group rwx access: chmod 677? /home/rawny/sftp (replace the ? with whatever you want world access to be. Common choices are 5 (rx) 1 (x) and 0, depending on whether you want anyone else to access this at all or not.) If the folder isn't empty, do not use -R, you'll need to apply the suid/sgid/x bits to each folder individually.

The suid/sgid bits, when used on directories in Linux, cause newly created files and subdirectories to automatically be owned/grouped the same as the directory (subdirectories will also be suid/sgid) so all files created under /home/rawny/sftp will be owned by rawny and in thatgroup so bawb-sftp can access them. Note that umask may need to be modified to create files with group-write permissions (see here, but use with umask 00? where ? is 2 6 or 7 matching the choices earlier)

DerfK
  • 19,313
  • 2
  • 35
  • 51
  • This seems to work, except setting umask doesn't work with internal-sftp even with openssh 5.5p1, so I'm not sure what to do about that. – Dragonshadow Jun 29 '11 at 22:38
  • Nevermind, I was setting the umask wrong! Though I noticed the new files I create as bawb-sftp do not have the special flag like the pre-existing files do – Dragonshadow Jun 29 '11 at 22:52
  • @Dragonshadow files won't be suid/sgid, it means something completely different for files than it does for directories. Directories you create should, though. – DerfK Jun 30 '11 at 00:32