On Tue, Jan 14, 2014 at 05:21:18PM -0600, Bob Goldberg wrote: > I have 2 classes of users - SFTP users (customers), and SFTP managers > (company users that manage customer data). > > I want a highly secure and privacy safe SFTP server. But I also want it to > appear to users as simple and easy as possible. All users will access SFTP > only via an SFTP client. > so my wants are: > - sftp access only. (but not to exclude ssh access for linux users). > - sftp users chroot'ed to their home dir, without any added level's of > directory's [beneath home]. > - so users should have "w" access to their home. > - sftp managers should have "w" access to all sftp-users' home dir's. > > what would be the best way to accomplish this? > I don't care how complex the setup/config is - as long as it's as easy, and > idiot-proof for my users as possible. The first thing that springs to mind is to have the home dirs owned by the user, with rwx permission, and group of sftpmanager (for example), with rwx permissions. Have your sftp managers (and only your sftp managers) be members of group sftpmanager. You could add g+s permission so newly created files will have group sftpmanager. You mentioned that the ftp server you are using requires that all directories leading to the home directories be owned by root with no group write permissions. Does that apply even to the user's home itself? Cheers, Tom
Attachment:
signature.asc
Description: Digital signature