>>> For some reason I thought SFTP would provide access control but now >>> I'm thinking it's just like SSH in that access control is based on >>> file ownership and permissions? If that's the case, can anyone think >>> of a better way to control remote access to my files than chmod/chown? >> >> ACLs. >> > > We went this route once too. We had a developer ($USER) who was supposed > to have access to just one subdirectory of /var/www. > > I took notes, assuming /etc, /root, and /usr have correct permissions: > > 1. A group named ssh_users was created. The $USER account was > added as a member of this group. > > 2. The ssh_users group was granted the ability to traverse /var/www: > > setfacl -m group:ssh_users:--x /var/www > > This is necessary to allow the $USER user to chdir into its > home directory in /var/www/$HIS_HOME_DIR. > > 3. A default ACL was set on /var/www which will apply to each new > subdirectory created within it. > > setfacl -d --set u::rwx,g::rx,g:ssh_users:-,o::rx /var/www > > This prevents members of the ssh_users group from traversing any > newly-created subdirectories of /var/www. > > 4. The default ACL described above was applied manually to each of > the existing subdirectories of /var/www: > > setfacl -m g:ssh_users:- /var/www/* > > Warning: At the time of writing, there were no regular files in > /var/www, so the above command makes sense. Don't blindly run it > again without checking. > > 5. The $USER user was granted full read/write/traverse permissions > on its home directory and all subdirectories/files contained > therein: > > setfacl -R -m u:$USER:rwx /var/www/$HIS_HOME_DIR > > 6. At this point, we need to change the default ACLs of every > directory within /var/www/$HIS_HOME_DIR. This is so that, when > $USER creates a new file/directory somewhere beneath its home > directory, it has access to the newly-created file or directory: > > setfacl -d -R --set u::rwx,u:$USER:rwx,g::rx,o::rx /var/www > /$HIS_HOME_DIR > > This command sets the default ACL recursively, and is smart > enough to only apply the command to directories.
Thanks for that. I haven't thought it all the way through, but if Unix ownership and permissions aren't granular enough and subversion's path-based authorization won't work, I will need to use ACLs. I think both subversion's path-based authorization and Unix ownership/permissions would be simpler to implement and maintain than ACLs so I'm hoping it doesn't come to that. - Grant
