9

I have a directory that multiple users have access to. They change, upload, and delete files in the directory. They all belong to the same user group. The files in the directory have access rights of 660.

The problem is that the users cannot set the modification time of files if they're not the owner of that file.

For example user AAA uploads a file 'EXAMPLE.jpg', user BBB downloads it, modifies it and uploads it again. The file's 'last modified' timestamp will be of the time BBB uploaded it, not when it was really last modified. I tried setting the file's permissions to 777, but it didn't help.

The problem shows in sftp-logs as:

Dec  5 16:37:08 servername sftp-server[695]: open "/shared_directory/EXAMPLE.jpg" flags WRITE,CREATE,TRUNCATE mode 0666
Dec  5 16:37:08 servername sftp-server[695]: close "/shared_directory/EXAMPLE.jpg" bytes read 0 written 42765
Dec  5 16:37:08 servername sftp-server[695]: set "/shared_directory/EXAMPLE.jpg" modtime 20111205-15:53:31
Dec  5 16:37:08 servername sftp-server[695]: sent status Permission denied

Winscp will complain at the situation as Upload of file 'example.jpg' was successful, but error occurred while setting the permissions and/or timestamp. If the problem persists, turn on 'ignore permission errors'. The warning can easily be ignored, but what if I want to allow my users to "preserve" the timestamps by editing them after file upload?

There is already a similar question than this, but has gone unanswered :(.

jous
  • 190
  • 1
  • 5

2 Answers2

10

For some mysterious reason, Unix/Linux systems guard the mtime very strongly. Only the owner[*] can do what you require, i.e. push the mtime back.

You can't control it with the ACLs (man setfacl).

One workaround I can think of is to use Samba, that has dos filemode option. It does exactly what you require (although the name is not very obvious). Of course I'm far from recommending samba over sftp; samba is an administrative nightmare.

In fact, if I were you, I would go for a very, very ugly hack. Write a script that scans sftp-log file for the set ... modtime line, and for each such line immediately attempt to run touch --mtime. Obviously, the script needs to run as root, so make sure it is secure from code injection (such as filenames and dates containing ' or " or ; or $ characters).


[*] Actually, also user possessing CAP_FOWNER (such as root), but this is system-wide capability, so not applicable to your case.

kubanczyk
  • 13,502
  • 5
  • 40
  • 55
  • What you describe is [utimes](https://man7.org/linux/man-pages/man2/utimes.2.html)'s behavior. [utimensat](https://man7.org/linux/man-pages/man2/utimensat.2.html) - what modern `touch` and other utilities use - can set timestamps (to current time only) even without owning the file, provided that the user has write access to the file. – Irfan Latif Sep 05 '20 at 09:45
  • 1
    @IrfanLatif Thanks, I've re-touched the answer (hah) to be more clear. As OP wanted to set the mtime in the past, it's just a cosmetic change. – kubanczyk Apr 19 '22 at 08:19
2

The users can delete then upload the changed files. In this way they will change the ownership and they will be able to update the timestamp of the file.

The folder permission should be something like drwxrwsr-x and the file permission should be like -rw-rw-r--. the user should be in the same group as the folder and files.

See also: How do I set permissions structure for multiple users editing multiple sites in /var/www on Ubuntu 9.10?

Mircea Vutcovici
  • 16,706
  • 4
  • 52
  • 80