sftp user as superuser

Alfredo De Luca alfredo.deluca at gmail.com
Thu Jun 21 15:22:58 UTC 2018


Thanks Karl.
I ll try that.... anyway it's not wrong as all the users upload stuff
online ...and this user (a sort of back office user) needs to move stuff
around.

That's all.


Thanks and I ll give it a try soon

Thanks


On Thu, Jun 21, 2018 at 3:38 PM Karl Auer <kauer at biplane.com.au> wrote:

> On Thu, 2018-06-21 at 14:38 +0200, Alfredo De Luca wrote:
> > We have an sftp server with many users (sftp only) chrooted on their
> > directory. Those users are connected to  an IDM (freeIPA).
>
> Sounds normal.
>
> > All ok except one of those users need full access (rwx)  on all the
> > others users home directory.
>
> My immediate reaction is "no, they don't". I am struggling to see why
> this would ever be the case. That said, however:
>
> > We tried with setfacll but I wasn't able to do what I wanna do...as
> > there are other users (local) need access ssh and the setfacl breaks
> > the .ssh/authorized_keys.
>
> Do you REALLY want to give this special user open access to everything
> in people's home directories? It sounds wrong.
>
> > Any idea/clue how to do this?
>
> Yes - don't do it.
>
> If you must do it, then create a special group, change the group
> ownership to that group for just the directories and files you need
> this user to access (i.e. NOT ~/.ssh), and put just this special user
> in your special group. Set the setguid bit on all directories the
> special user requires access to, so that new files will get the same
> ownership as the directory. You may need a script to do this if the
> number of users is more than a few. You will have to make the special
> user's chroot directory the /home directory or higher.
>
> Then email all users to warn them that this user can see, edit and even
> delete anything they put in their home directories.
>
> Regards, K.
>
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Karl Auer (kauer at biplane.com.au)
> http://www.biplane.com.au/kauer
> http://twitter.com/kauer389
>
> GPG fingerprint: A0CD 28F0 10BE FC21 C57C 67C1 19A6 83A4 9B0B 1D75
> Old fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A
>
>
>
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>


-- 
*Alfredo*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20180621/88726d24/attachment-0001.html>


More information about the ubuntu-users mailing list