So, I wouldn’t normally recommend this to customers. However, there are secure ways to add SFTP access, without the SFTP subsystem having to be modified. It’s also possible to achieve similar setup in a location like \/home\/john\/public_html. <\/p>\n
Let’s assume that public_html and everything underneath it is chowned john:john. So john:john has all the access, and apache2 runs with it’s own gid;uid. This was a pretty strange setup, and you don’t see it every day. But actually, it allowed me to solve another problem that I’ve been seeing\/seeing customers have for a long time. That problem is the problem of effectively and easily managing permissions. Once I figured this out it was a serious ‘aha!’ moment!. Here’s why.<\/p>\n
Inside the \/etc\/group, we find the customers developer has done something tragic:<\/p>\n
\r\n[root@web public_html]# cat \/etc\/group | grep apache\r\napache:x:48:john,bob\r\n<\/pre>\nBut fine.. we’ll run with it.<\/p>\n
We can see all the files inside their \/home\/john\/public_html , the sight is not good<\/p>\n
\r\n]# ls -al \r\ntotal 232\r\ndrwxrwxr-x 27 john john 4096 Dec 20 15:56 .\r\ndrwxr-xr-x 12 john john 4096 Dec 15 11:08 ..\r\ndrwxrwxr-x 10 john john 4096 Dec 16 09:56 administrator\r\ndrwxrwxr-x 2 john john 4096 Dec 14 11:18 bin\r\ndrwxrwxr-x 4 john john 4096 Nov 2 15:05 build\r\n-rw-rw-r-- 1 john john 714 Nov 2 15:05 build.xml\r\ndrwxrwxr-x 3 john john 4096 Nov 2 15:05 c\r\ndrwxrwxr-x 3 john john 45056 Dec 20 13:09 cache\r\ndrwxrwxr-x 2 john john 4096 Dec 14 11:18 cli\r\ndrwxrwxr-x 32 john john 4096 Dec 14 11:18 components\r\n-rw-rw-r-- 1 john john 1863 Nov 2 15:05 configuration-live.php\r\n-rw-r--r-- 1 john john 3173 Dec 15 11:08 configuration.php\r\ndrwxrwxr-x 3 john john 4096 Nov 2 15:05 docs\r\ndrwxrwxr-x 8 john john 4096 Dec 16 17:17 .git\r\n-rw-rw-r-- 1 john john 1734 Dec 14 11:21 .gitignore\r\n<\/pre>\nIt gets worse..<\/p>\n
\r\n# cat \/etc\/passwd | grep john\r\njohn:x:501:501::\/home\/john:\/bin\/sh\r\n<\/pre>\nNow, adding an sftp user into this, might look like a nightmare, but actually with some retrospective thought it was really easy.<\/p>\n
Solving this mess:<\/p>\n
Install Scponly <\/strong><\/p>\n
\r\nyum install scponly\r\n<\/pre>\nCreate new ‘SFTP’ user: <\/strong><\/p>\n
\r\nscponlyuser:x:504:505::\/home\/john:\/usr\/bin\/scponly\r\n<\/pre>\nCreate a password for user scponlyuser <\/strong><\/p>\n
\r\npasswd scponlyuser\r\n<\/pre>\nSolution to john:john permissions <\/strong><\/p>\n
\r\n[root@web public_html]# cat \/etc\/group | grep john\r\napache:x:48:john,bob\r\njohn:x:501:scponlyuser\r\n<\/pre>\nWe simply make scponlyuser part of the john group by adding the second line there. That way, the scponlyuser will have read\/write access to the same files as the shell user, without exposing any additional stuff.<\/p>\n
This was a cool solution to fixing this customers insecure solution, that they wanted to keep it the way they had, and was also great way to add an sftp account without requiring root jail. Whether it’s better than the root jail, is really debatable, however scponly enforces that only this account can be used only for SCP, as well as achieving sftp user access, without a jail. <\/p>\n
I was proud of this achievement.. goes to show Linux permissions are really more flexible than we can imagine. And, whether you really want to flex those permissions muscles though, should be of concern. I advised this customer to change this setup, remove the \/bin\/sh, among other things.. <\/p>\n
We finally test SFTP is working as expected with the new scponlyuser <\/strong><\/p>\n
\r\n\r\nsftp> rmdir test\r\nsftp> get index.php\r\nFetching \/home\/john\/public_html\/index.php to index.php\r\n\/home\/john\/public_html\/index.php 100% 1420 1.4KB\/s 00:00\r\nsftp> put index.php\r\nUploading index.php to \/home\/john\/public_html\/index.php\r\nindex.php 100% 1420 1.4KB\/s 00:00\r\nsftp> mkdir test\r\nsftp> rmdir test\r\n\r\n<\/pre>\nJust replace ‘scponly’ with whatever username your setting up. The only part that you need to keep the ‘scponly’ bit, is \/usr\/bin\/scponly, this is the environment logging into. Apologies that scponly is so similar to scponlyuser ;-D <\/p>\n
\r\nscponlyuser:x:504:505::\/home\/john:\/usr\/bin\/scponly\r\n<\/pre>\nI was very pleased with this! Hope that you find this useful too!<\/p>\n","protected":false},"excerpt":{"rendered":"
So, I wouldn’t normally recommend this to customers. However, there are secure ways to add SFTP access, without the SFTP subsystem having to be modified. It’s also possible to achieve similar setup in a location like \/home\/john\/public_html. Let’s assume that … Continue reading