sftp user as superuser
Alfredo De Luca
alfredo.deluca at gmail.com
Thu Jun 21 15:22:58 UTC 2018
I ll try that.... anyway it's not wrong as all the users upload stuff
online ...and this user (a sort of back office user) needs to move stuff
Thanks and I ll give it a try soon
On Thu, Jun 21, 2018 at 3:38 PM Karl Auer <kauer at biplane.com.au> wrote:
> On Thu, 2018-06-21 at 14:38 +0200, Alfredo De Luca wrote:
> > We have an sftp server with many users (sftp only) chrooted on their
> > directory. Those users are connected to an IDM (freeIPA).
> Sounds normal.
> > All ok except one of those users need full access (rwx) on all the
> > others users home directory.
> My immediate reaction is "no, they don't". I am struggling to see why
> this would ever be the case. That said, however:
> > We tried with setfacll but I wasn't able to do what I wanna do...as
> > there are other users (local) need access ssh and the setfacl breaks
> > the .ssh/authorized_keys.
> Do you REALLY want to give this special user open access to everything
> in people's home directories? It sounds wrong.
> > Any idea/clue how to do this?
> Yes - don't do it.
> If you must do it, then create a special group, change the group
> ownership to that group for just the directories and files you need
> this user to access (i.e. NOT ~/.ssh), and put just this special user
> in your special group. Set the setguid bit on all directories the
> special user requires access to, so that new files will get the same
> ownership as the directory. You may need a script to do this if the
> number of users is more than a few. You will have to make the special
> user's chroot directory the /home directory or higher.
> Then email all users to warn them that this user can see, edit and even
> delete anything they put in their home directories.
> Regards, K.
> Karl Auer (kauer at biplane.com.au)
> GPG fingerprint: A0CD 28F0 10BE FC21 C57C 67C1 19A6 83A4 9B0B 1D75
> Old fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ubuntu-users