Access only specific folders via SFTP

2

1

I have a VPS running Ubuntu Server 14.04.

Here's a selection of my directory structure:

/
    home/
        my_user/
    var/
        www/
            wp-content/
                themes/
                    my-theme/
                    my-theme-child/

Permissions for the directories are 755 and files are 644.

Say I hire a developer, my_user, to work on a theme for me. I want them to be able to do anything they want to their home folder. I also want them to be able to read my-theme and read and write my-theme-child, but nothing more. They shouldn't even be able to see the directory structure of any other part of the server.

I've done some reading and I think a chroot jail would work nicely to keep my developer in their home directory, but I can't figure out how to give them access to my-theme and my-theme-child in addition to their current access.

How can I achieve this?

Marcus McLean

Posted 2015-03-19T15:29:00.780

Reputation:

The lack of rich application-layer access control in SSH/SCP/SFTP is one of the biggest shames of the protocol, imho. – gowenfawr – 2015-03-19T16:10:25.760

1You should create a group for the people working in the theme and then assign it for the folders with the right permissions. Remember, the user may try to access the folders manually if you dont restrict the access. – Fg4spr – 2015-03-19T16:35:30.710

1@gowenfawr That's more an issue with the widely-used OpenSSH SFTP server program. There are commercial SFTP servers which give more control over what can be accessed remotely. – Kenster – 2015-03-19T21:02:02.287

@Kenster great point - my criticism would be more properly worded "...of the de facto implementation" rather than "of the protocol". – gowenfawr – 2015-03-19T21:05:50.543

Answers

1

This might be meh for your needs, but I do something similar for letting friends send me files. Assuming your SFTP jail is set up, you can do:

1) Make a home directory for this chrooted myuser. I did mkdir /var/sftproot

2) The user's home directory should be owned by root: chown root:root /var/ftproot

3) mkdir /var/ftproot/dump (inside the chroot jail) and /var/dumpstuff (outside the jail)

4) chown -R myuser:users /var/ftproot/dump and chown -R myuser:users /var/dumpstuff (if you want the user to own it)

4) mount --bind /var/ftproot/stuff/ /var/dumpstuff/

/var/sftproot is not writable by myuser, but the subdirectories in it are. This probably limits them to using sftp; no shell access.

You don't say whether you want shell access for this developer, but since it's a developer maybe you do. For that, consider ssh and a jail (this is for Arch, but something similar is probably possible on Ubuntu - I didn't test it).

Bolwerk

Posted 2015-03-19T15:29:00.780

Reputation: 381

Asked: 2015-03-19T15:29:00.780

Viewed: 1 878 times

Active: 2015-03-19T21:13:45.700