0

I've set up SFTP, so that some users can upload files to a directory where the web application can pick them up. The webserver is running as user A, and SFTP is configured for user B.

User A is uploading files to /sftpchroots/filesbyA/ (owned by root:root, to enable a chroot). Naturally, these files are owned by A after uploading. User B has to process them, though, and needs ownership to be able to remove them afterwards.

Is there a way to set it up so that everything uploaded to that directory, (or everything uploaded by user A) has its ownership changed to user B? Or is there a way to allow B to unlink the files without being owner (e.g. having group permissions set somehow)?

EDIT: as it turns out, the situation is a bit more nuanced. User A will be uploading folders with files in them. These folders will thus be owned by A, as well as their contents.

Joost
  • 177
  • 1
  • 9

1 Answers1

2

Only write permission on the containing directory is needed to delete a file. Neither ownership nor permissions of the file itself come into play.

EDIT: In the case of subdirectories being created via SFTP, this can be achieved in several ways:

  • by making them world writeable (normally not desirable for security reasons)
  • by making them group writeable and adding B to the group
  • by adding an ACL granting B write permission
Tilman Schmidt
  • 3,778
  • 10
  • 23
  • This works to some extend in the sense that it allows `B` to delete all files directly below the directory that is owned by `B`. However, as soon as `A` uploads a directory with files inside `B` cannot touch these files, it seems.. – Joost Aug 17 '15 at 21:25
  • My statement applies, mutatis mutandis, to subdirectories too. B doesn't need ownership of the subdirectories, just write permission. – Tilman Schmidt Aug 18 '15 at 08:47
  • Right, the write permission on the child directory was missing. You're correct! Still, I've gone with ACL (with a default setting) in the end – if I understand it correctly, this prevents SFTP users from (accidently) adjusting permissions such that B cannot remove the files anymore (740?). – Joost Aug 18 '15 at 09:32
  • Absolutely. A default ACL is a good way to grant write permission to the entire directory tree. – Tilman Schmidt Aug 18 '15 at 09:36