0

I want to give my friend access to a single folder on my server.

I created a new user for him, created a new group for him, and chgrp -R'd the folder for him so that he would have access.

I just tried SSHing in as him, and he can see everything on my server. He can see all the directories, cat, and download files. The only thing he can't seem to do is modify or create files.

How can I remove access for him from everything except his home folder and this special folder for which he is in the group of?

Here's what I've done, I ran nano /etc/ssh/sshd_config and added this to the bottom:

Match group GROUP
    ChrootDirectory /srv/WEBSITE
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp

And then ran service ssh restart.

Now I can't log in as my friend using WinSCP.

mpen
  • 2,186
  • This might help somewhat: http://askubuntu.com/questions/245804/give-access-to-a-specific-user-to-a-specific-folder-within-a-group-terminal – TheWanderer Apr 29 '15 at 01:17
  • Also this: http://askubuntu.com/questions/179333/how-can-i-disable-access-to-the-file-system-for-a-specific-user-or-group – TheWanderer Apr 29 '15 at 01:18
  • This one tells you how to make only your group (or only yourself) able to access your home folder. It can be adapted. – TheWanderer Apr 29 '15 at 01:20
  • What I would do is build a proper chroot environment for this user. See here: http://unix.stackexchange.com/questions/9853/restricting-an-ssh-scp-sftp-user-to-a-directory – noleti Apr 29 '15 at 01:35
  • @noleti "All components of the pathname must be root-owned directories that are not writable by any other user or group." -- That's a pretty ridiculous restriction. At a minimum, I need www-data to be able to read/write to that directory. – mpen Apr 29 '15 at 01:43
  • @Zacharee1 Those links only describe how to remove permissions for a specific folder. I want to remove permissions from every other dir/file in the entire file system. Is chmod -R o-rwx / (i.e. on the root folder) safe to do? – mpen Apr 29 '15 at 01:47
  • @Mark www-data can have write right to the directory content, but not to the parent directories. The point is to prevent another user from redirecting the path to another folder on the filesystem via ln -s or similar. – noleti Apr 29 '15 at 01:47
  • I also strongly advise against changing rights of all other folder with the chmod commands you mention. That is a sure way to mess up your system beyond recovery. – noleti Apr 29 '15 at 01:48
  • @noleti That's what I was thinking.... good thing I didn't run it. – mpen Apr 29 '15 at 01:49
  • You can't block access to the whole filesystem, since, like one of those links explains, there are executables and programs that need to be run. – TheWanderer Apr 29 '15 at 01:49
  • @Zacharee1 By "other"? What's running as "other"? – mpen Apr 29 '15 at 01:50
  • When did I say other? – TheWanderer Apr 29 '15 at 01:51
  • @Zacharee1 I was talking about running chmod -R o-rwx / which removes read/write/execute permissions for "other users". Would that not remove access for my friend? – mpen Apr 29 '15 at 01:56
  • Isn't that what you want? – TheWanderer Apr 29 '15 at 01:57
  • @Zacharee1 Yes... that's precisely what I want. And then I asked if it was safe to do. And then you both said no, it's not safe. Which is it? Will my server explode if I do that or not? – mpen Apr 29 '15 at 02:17
  • Sorry. Tired. Don't block access to root. You'll be fine, but that group won't even be able to login, since Unity, drivers and built in startup apps won't be able to load. – TheWanderer Apr 29 '15 at 02:21
  • @noleti - chroot is somewhat depreciated (it still has uses), use LXC =) – Panther Apr 29 '15 at 03:33

1 Answers1

1

You are not very clear on the things your friend is supposed to do in the folder. As you state that www-data should have write rights as well, I assume this is a web data directory. For this, sFTP or scp would be my tools of choice for your friend. This answer explains how to set up both in a chroot environment. If your friend actually has to log in via ssh, you may need to copy some binaries for him to use, or use ln -s to link /usr into the chroot environment.

Community
  • 1
noleti
  • 4,053
  • 27
  • 25
  • scp access will be sufficient for him, although shell access wouldn't hurt for future reference. I've updated my question with what I've tried... now I can't log in with his account at all. – mpen Apr 29 '15 at 02:09
  • @Mark I'm not sure how you would log in with scp - you just use it to copy files. If you want him to log into your server using SSH, you will have to copy binaries for him to execute. I have never done that myself, so I can't help with that part. – noleti Apr 29 '15 at 10:23