Re: permissions: can you force ACL to be effective over unix perms?

[Gilles Mocellin <gilles.mocellin@nuagelibre.org>]

Le 15/01/2014 00:21, Bob Goldberg a écrit :

On Tue, Jan 14, 2014 at 7:13 AM, Joel Rees <joel.rees@gmail.com> wrote:

Caveat. I don't have the patience to work with ACLs, mostly because I
can't see how they could really work without bringing a system to its
knees.

To be honest - ACL's were by far my first choice for solving my problem.

There is no doubt there's been misinterpretations; I'm sorry for that. 

So let me drop back to square one, and explain what I want - at the highest level. SIMPLY, this:

I have 2 classes of users - SFTP users (customers), and SFTP managers (company users that manage customer data).

I want a highly secure and privacy safe SFTP server. But I also want it to appear to users as simple and easy as possible. All users will access SFTP only via an SFTP client.

so my wants are:

- sftp access only. (but not to exclude ssh access for linux users).

- sftp users chroot'ed to their home dir, without any added level's of directory's [beneath home].

- so users should have "w" access to their home.

- sftp managers should have "w" access to all sftp-users' home dir's.

what would be the best way to accomplish this?

I don't care how complex the setup/config is - as long as it's as easy, and idiot-proof for my users as possible.

TIA - Bob

Hello,

I have done something similar in the past with FTP (pure-ftpd).

The principle was just to have two level of directory, like this :

/srv/ftp/manager1/client1
/srv/ftp/manager1/client2
/srv/ftp/manager2/client3
/srv/ftp/manager2/client4
...

I was using virtual users, so the owner of all the hierarchy was the ftp user.
By having chrooted home at different level, you can have what you want.

manager1 : home dir /srv/ftp/manager1
client1 : home dir /srv/ftp/manager1/client1
client2 : home dir /srv/ftp/manager1/client2

manager1 can see files for both clients 1 and 2
client1 and client2 can only their own files