From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1R9KM4-0006uP-49 for garchives@archives.gentoo.org; Thu, 29 Sep 2011 17:25:05 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 238E521C0FD; Thu, 29 Sep 2011 17:24:45 +0000 (UTC) Received: from mail2.viabit.com (mail2.viabit.com [65.246.80.16]) by pigeon.gentoo.org (Postfix) with ESMTP id E42D021C07C for ; Thu, 29 Sep 2011 17:23:27 +0000 (UTC) Received: from [192.168.1.100] (c-68-49-223-78.hsd1.md.comcast.net [68.49.223.78]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail2.viabit.com (Postfix) with ESMTPSA id E1B4137B27 for ; Thu, 29 Sep 2011 13:23:25 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=orlitzky.com; s=mail2; t=1317317006; bh=HSj4fGkUoGouCSlaj4H4rN1L9cxmjxyqryWuIztpQa8=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=xJ9sKbF2hXY0voQuteJ51YqnyiKZgeN8ppCufLVd0EfiC7+uw/RLLogFhguXz5uhI m4La6iokBPFENOSu1LPFIWX+ViGk6CKeAaUvGDGZU+a4XBnP3CV1EbMQvu6ulsJTsM eYZbAsXHdgi+WEsrjoiAuBy+mU7IfBf5JAv0heyM= Message-ID: <4E84A98B.4070101@orlitzky.com> Date: Thu, 29 Sep 2011 13:23:23 -0400 From: Michael Orlitzky User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.20) Gecko/20110923 Lightning/1.0b3pre Thunderbird/3.1.12 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] {OT} Development framework with access restriction? References: <4E80F086.9010804@orlitzky.com> <20110929091341.128242e2@zaphod.digimed.co.uk> In-Reply-To: <20110929091341.128242e2@zaphod.digimed.co.uk> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: X-Archives-Hash: 71071f80c90d67bab174d7f06ca0de8a On 09/29/2011 04:13 AM, Neil Bothwick wrote: > On Wed, 28 Sep 2011 19:23:30 -0700, Grant wrote: > >> For some reason I thought SFTP would provide access control but now >> I'm thinking it's just like SSH in that access control is based on >> file ownership and permissions? If that's the case, can anyone think >> of a better way to control remote access to my files than chmod/chown? > > ACLs. > We went this route once too. We had a developer ($USER) who was supposed to have access to just one subdirectory of /var/www. I took notes, assuming /etc, /root, and /usr have correct permissions: 1. A group named ssh_users was created. The $USER account was added as a member of this group. 2. The ssh_users group was granted the ability to traverse /var/www: setfacl -m group:ssh_users:--x /var/www This is necessary to allow the $USER user to chdir into its home directory in /var/www/$HIS_HOME_DIR. 3. A default ACL was set on /var/www which will apply to each new subdirectory created within it. setfacl -d --set u::rwx,g::rx,g:ssh_users:-,o::rx /var/www This prevents members of the ssh_users group from traversing any newly-created subdirectories of /var/www. 4. The default ACL described above was applied manually to each of the existing subdirectories of /var/www: setfacl -m g:ssh_users:- /var/www/* Warning: At the time of writing, there were no regular files in /var/www, so the above command makes sense. Don't blindly run it again without checking. 5. The $USER user was granted full read/write/traverse permissions on its home directory and all subdirectories/files contained therein: setfacl -R -m u:$USER:rwx /var/www/$HIS_HOME_DIR 6. At this point, we need to change the default ACLs of every directory within /var/www/$HIS_HOME_DIR. This is so that, when $USER creates a new file/directory somewhere beneath its home directory, it has access to the newly-created file or directory: setfacl -d -R --set u::rwx,u:$USER:rwx,g::rx,o::rx /var/www /$HIS_HOME_DIR This command sets the default ACL recursively, and is smart enough to only apply the command to directories.