Jeremy Colvin
asked on
How to specify folder permissions for specific user accounts to specific sub-directories within a directory
Background:
I have a CentOS based server running Plesk control panel
I have 3 FTP users (more actually, but for this example 3 is fine)
I have the following FTP directory structure (which I will # for ease of explanation below:
(1) /FTP/MainFTPDir/
(2) /FTP/MainFTPDir/Dir1/
(3) /FTP/MainFTPDir/Dir1/SubDi
(4) /FTP/MainFTPDir/Dir1/SubDi
(5) /FTP/MainFTPDirDir2/
(6) /FTP/MainFTPDirDir3/SubDir
(7) /FTP/MainFTPDirDir4
The question I have is how to I give an FTP user access to specified directories, (BUT NOT ALL):
Example:
FTP User 1 to have access to (1)(2)(3)(4)(7)
FTP User 2 to have access to (1)(5)(6)(7)
FTP User 3 to have access to (1)(5)(7)
I realize that I can give them access to the main directory, and then they will have access to other directories within, but how to I restrict them to ONLY having access to the sub-directories that I want to give them access to?
I have a CentOS based server running Plesk control panel
I have 3 FTP users (more actually, but for this example 3 is fine)
I have the following FTP directory structure (which I will # for ease of explanation below:
(1) /FTP/MainFTPDir/
(2) /FTP/MainFTPDir/Dir1/
(3) /FTP/MainFTPDir/Dir1/SubDi
(4) /FTP/MainFTPDir/Dir1/SubDi
(5) /FTP/MainFTPDirDir2/
(6) /FTP/MainFTPDirDir3/SubDir
(7) /FTP/MainFTPDirDir4
The question I have is how to I give an FTP user access to specified directories, (BUT NOT ALL):
Example:
FTP User 1 to have access to (1)(2)(3)(4)(7)
FTP User 2 to have access to (1)(5)(6)(7)
FTP User 3 to have access to (1)(5)(7)
I realize that I can give them access to the main directory, and then they will have access to other directories within, but how to I restrict them to ONLY having access to the sub-directories that I want to give them access to?
Other considerations.
1) FTP is 100% hackable... Trivial to hack... Only use FTP if you enjoy being hacked.
2) To manage SFTP, install the MySecureShell package which allows near zero config, chroot access for users.
MySecureShell handles most common SFTP access patterns easily.
1) FTP is 100% hackable... Trivial to hack... Only use FTP if you enjoy being hacked.
2) To manage SFTP, install the MySecureShell package which allows near zero config, chroot access for users.
MySecureShell handles most common SFTP access patterns easily.
ASKER
David Favor:
Thank you, Sounds like MySecureShell is the way to go.... but they don't list CentOS7 - have you tested on 7?
https://mysecureshell.readthedocs.io/en/latest/installation_os_centos_redhat.html
Thank you, Sounds like MySecureShell is the way to go.... but they don't list CentOS7 - have you tested on 7?
https://mysecureshell.readthedocs.io/en/latest/installation_os_centos_redhat.html
I'm guessing that you're missing the single slashes for 5 through 7.
Here's really all you need for the basics whether you use ssh or ftp.
Make the main folder executable only so that users can't list or create anything under it.
chmod 111 /FTP/MainFTPDir/
Set the ownership of the main folders for each user and make it only accessible to the owner (user)
chown -R user1 /FTP/MainFTPDir/Dir1/
chmod 700 /FTP/MainFTPDir/Dir1/
chown -R user2 /FTP/MainFTPDir/Dir2/
chmod 700 /FTP/MainFTPDir/Dir2/
chown -R user3 /FTP/MainFTPDir/Dir3/
chmod 700 /FTP/MainFTPDir/Dir3/
This should be more than enough to keep users from accessing each other's folders.
I'm also unclear on why MySecureShell is needed. You can already set users and their folders through regular unix for both FTP and SSH. Just create the user account and set their "home" folder to their corresponding users.
User1 -> /FTP/MainFTPDir/Dir1/
User2 -> /FTP/MainFTPDir/Dir2/
User3 -> /FTP/MainFTPDir/Dir3/
You could have both FTP and SSH turned on and working at the same time on the same folder, although FTP should really not be used with user accounts any longer. FTP can still be used for anonymous drops if you want high speed pseudo-anonymous sharing of public files.
Here's really all you need for the basics whether you use ssh or ftp.
Make the main folder executable only so that users can't list or create anything under it.
chmod 111 /FTP/MainFTPDir/
Set the ownership of the main folders for each user and make it only accessible to the owner (user)
chown -R user1 /FTP/MainFTPDir/Dir1/
chmod 700 /FTP/MainFTPDir/Dir1/
chown -R user2 /FTP/MainFTPDir/Dir2/
chmod 700 /FTP/MainFTPDir/Dir2/
chown -R user3 /FTP/MainFTPDir/Dir3/
chmod 700 /FTP/MainFTPDir/Dir3/
This should be more than enough to keep users from accessing each other's folders.
I'm also unclear on why MySecureShell is needed. You can already set users and their folders through regular unix for both FTP and SSH. Just create the user account and set their "home" folder to their corresponding users.
User1 -> /FTP/MainFTPDir/Dir1/
User2 -> /FTP/MainFTPDir/Dir2/
User3 -> /FTP/MainFTPDir/Dir3/
You could have both FTP and SSH turned on and working at the same time on the same folder, although FTP should really not be used with user accounts any longer. FTP can still be used for anonymous drops if you want high speed pseudo-anonymous sharing of public files.
Note: I only use Ubuntu, as RedHat/CentOS/Fedora package management seems to turn system admin into a massive time requirement hobby, rather than just installing + updating packages, with all installs/updates working 100% of the time, first time.
The search - mysecureshell install centos 7 - turns up 6K+ results, so just pick one of these guides for your install.
MySecureShell is zero config + at least on Ubuntu has installed on every version for many years + worked every time, with no problems.
The search - mysecureshell install centos 7 - turns up 6K+ results, so just pick one of these guides for your install.
MySecureShell is zero config + at least on Ubuntu has installed on every version for many years + worked every time, with no problems.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
1) Use chown + chmod to set system level ACLs.
2) Use setfacl to set complex, alternative ACLs.
Using setfacl allows any combination of ACLs you like to set + can be very complex to get working.
You'll just get out the setfacl man page + start changing ACLs till you get the correct settings working.
Note: You still must keep your directory hierarchies straight. In other words, if a parent directory denies some access, you still can't somehow grant some access in the middle of a hierarchy with any command.
You must start from the top/parent down, granting access to each subdirectory to allow groups of users access.