2

I have a linux mint machine which provides a kind of file dump which gets provided via a nginx.

My problem is, that a single user (upload_usr) should be able to place new files/directorys inside one specific folder, but he shouldn't be allowed to replace or change any existing file.

This should work like this:

  • put a.txt -> fine
  • put a.txt -> disallow
  • cat a.txt -> fine
  • put b.txt -> fine
  • rm a.txt -> disallow

Important is, that an other user which isn't root needs to be able to r/w in this dir.

What would be the easiest way to achieve this?

Snapstromegon
  • 123
  • 2

1 Answers1

1

(Assuming openssh with sftp-server.)

If you allow SSH then this is nearly impossible. However, if you only allow SFTP:

should be able to place new files/directorys inside one specific folder

Use ChrootDirectory

For the other requirements -P blacklisted_requests and -u umask should be sufficient. (You can see the request types by running /usr/lib/openssh/sftp-server -Q requests.)

put a.txt -> fine

allow write (allowed by default)

put a.txt -> disallow

Run the sftp-server with -u 0222 and disallow and setstat fsetstat.

cat a.txt -> fine

allow read (allowed by default)

put b.txt -> fine

allow write (allowed by default)

rm a.txt -> disallow

disallow remove (and rmdir?)

TLDR Limit users with ChrootDirectory and run sftp-server with -u 0222 -P remove,rmdir,setstat,fsetstat

Mark Wagner
  • 17,764
  • 2
  • 30
  • 47
  • Maybe he can mix your solution with *Match Group* and *ForceCommand*, to force users in group to use SFTP, while keeping ssh enabled. – JucaPirama Apr 10 '19 at 16:49
  • Yes, something like `ForceCommand internal-sftp` would disable interactive SSH sessions. – Mark Wagner Apr 10 '19 at 17:01