Re: [gentoo-user] {OT} Development framework with access restriction?

Thu, 29 Sep 2011 10:23:38 -0700 

On 09/29/2011 04:13 AM, Neil Bothwick wrote:
> On Wed, 28 Sep 2011 19:23:30 -0700, Grant wrote:
> 
>> For some reason I thought SFTP would provide access control but now
>> I'm thinking it's just like SSH in that access control is based on
>> file ownership and permissions?  If that's the case, can anyone think
>> of a better way to control remote access to my files than chmod/chown?
> 
> ACLs.
> 

We went this route once too. We had a developer ($USER) who was supposed
to have access to just one subdirectory of /var/www.

I took notes, assuming /etc, /root, and /usr have correct permissions:

   1. A group named ssh_users was created. The $USER account was
      added as a member of this group.

   2. The ssh_users group was granted the ability to traverse /var/www:

      setfacl -m group:ssh_users:--x /var/www

      This is necessary to allow the $USER user to chdir into its
      home directory in /var/www/$HIS_HOME_DIR.

   3. A default ACL was set on /var/www which will apply to each new
      subdirectory created within it.

      setfacl -d --set u::rwx,g::rx,g:ssh_users:-,o::rx /var/www

      This prevents members of the ssh_users group from traversing any
      newly-created subdirectories of /var/www.

   4. The default ACL described above was applied manually to each of
      the existing subdirectories of /var/www:

      setfacl -m g:ssh_users:- /var/www/*

      Warning: At the time of writing, there were no regular files in
      /var/www, so the above command makes sense. Don't blindly run it
      again without checking.

   5. The $USER user was granted full read/write/traverse permissions
      on its home directory and all subdirectories/files contained
      therein:

      setfacl -R -m u:$USER:rwx /var/www/$HIS_HOME_DIR

   6. At this point, we need to change the default ACLs of every
      directory within /var/www/$HIS_HOME_DIR. This is so that, when
      $USER creates a new file/directory somewhere beneath its home
      directory, it has access to the newly-created file or directory:

      setfacl -d -R --set u::rwx,u:$USER:rwx,g::rx,o::rx /var/www
      /$HIS_HOME_DIR

      This command sets the default ACL recursively, and is smart
      enough to only apply the command to directories.

Reply via email to