Mailing List Archive

On Tue, Feb 09, 2010 at 06:05:41PM -0500, Jon Price wrote:
> I need to allow multiple users (users connecting from different
> machines) access to a box so they can all drop (via sftp) files in a
> common drop area, say /Whatever/Drop.

Read the rssh.conf man page. See the section on chrootpath.

--
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0x81CFE75D

On Tue, Feb 9, 2010 at 3:05 PM, Jon Price <jonelwoodprice@gmail.com> wrote:
> Hi,
>
> I need to allow multiple users (users connecting from different
> machines) access to a box so they can all drop (via sftp) files in a
> common drop area, say /Whatever/Drop.
> If I use OpenSSH with chroot and a single account "dropaccount", then
> all users can access that account via sftp given the appropriate setup
> (sshd_config, public keys and such).
> The /Whatever/Drop directory is owned by a different account name.
> That can't change.
>
> How can I allow these users to access the /Whatever/Drop directory?
>
> Thought maybe a symbolic link from the dropaccount's home directory
> over to /Whatever/Drop might work, but it doesn't (and maybe for good
> reason). But how can this be done?
>
> Also, I think the issue is the same even if there is just one user
> accessing the box this way, ie. the multiple users might just confuse
> things here. So could consider just a single user with these
> requirements.
>
> Thanks
>

Look into group access. Make "dropaccount" have it's own group and
chgrp <specialgroup> /Whatever/Drop
chmod g+rwx /Whatever/Drop

Symbolic links just give an additional path name, not additional perms.

--
And, did Galoka think the Ulus were too ugly to save?
-Centauri

In the last episode (Feb 09), Jon Price said:
> I need to allow multiple users (users connecting from different machines)
> access to a box so they can all drop (via sftp) files in a common drop
> area, say /Whatever/Drop. If I use OpenSSH with chroot and a single
> account "dropaccount", then all users can access that account via sftp
> given the appropriate setup (sshd_config, public keys and such). The
> /Whatever/Drop directory is owned by a different account name. That can't
> change.
>
> How can I allow these users to access the /Whatever/Drop directory?

Chroot the users to a common sftp root instead of their home directory
("/usr/sftpusers/" for example). You will have to tell them to cd to
"/myusername" to write to their private directory, or "/Drop" to upload to
the common dropbox directory.

Another solution might be to leave everyone chrooted in their home
directories, create a /Drop directory in everyone's home dir, and have a
crom job that runs every 5 minutes or so that moves files in
/usr/sftpusers/*/Drop/ that are older than 5 minutes into your other dropbox
directory, where you can process them at your leisure. This won't work if
they are supposed to be able to download files that other users have
uploaded, though.


--
Dan Nelson
dnelson@allantgroup.com

Export the directory through NFS. Then have your other users mount the NFS
directory within their own chrooted environment.

Or configure all the users to use the same home directory /Whatever/Drop ,
but they would have to have the same keys. But you would still be able to
log who uploaded what by their usernames.

Chris



From: Jon Price <jonelwoodprice@gmail.com>
To: secureshell@securityfocus.com
Date: 02/09/2010 06:42 PM
Subject: chroot and access to directory OTHER than user's home
directory.....
Sent by: listbounce@securityfocus.com



Hi,

I need to allow multiple users (users connecting from different
machines) access to a box so they can all drop (via sftp) files in a
common drop area, say /Whatever/Drop.
If I use OpenSSH with chroot and a single account "dropaccount", then
all users can access that account via sftp given the appropriate setup
(sshd_config, public keys and such).
The /Whatever/Drop directory is owned by a different account name.
That can't change.

How can I allow these users to access the /Whatever/Drop directory?

Thought maybe a symbolic link from the dropaccount's home directory
over to /Whatever/Drop might work, but it doesn't (and maybe for good
reason). But how can this be done?

Also, I think the issue is the same even if there is just one user
accessing the box this way, ie. the multiple users might just confuse
things here. So could consider just a single user with these
requirements.

Thanks

Wood.Chris@tatravelcenters.com wrote:
> Export the directory through NFS. Then have your other users mount the NFS
> directory within their own chrooted environment.

Another option is, if your system allows it, to put the shared directory
into its own partition and then mount it multiple times once in each of
the chrooted directories.

See 'mount --bind' for one method.

/Lars

On Tue, Feb 09, 2010 at 05:47:45PM -0600, Derek Martin wrote:
> On Tue, Feb 09, 2010 at 06:05:41PM -0500, Jon Price wrote:
> > I need to allow multiple users (users connecting from different
> > machines) access to a box so they can all drop (via sftp) files in a
> > common drop area, say /Whatever/Drop.
>
> Read the rssh.conf man page. See the section on chrootpath.

Ha! I was not in the folder I thought I was when I replied... sorry.

But since I brought it up, rssh is a pretty good solution for this:

http://www.pizzashack.org/rssh/

--
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0x81CFE75D