[TriLUG] Proper way to allowing remote sftp to nginx web server
Ronald Kelley via TriLUG
trilug at trilug.org
Fri Apr 1 11:22:04 EDT 2016
Thanks Matt.
Here is the issue:
User-A logins via sftp and writes a file (TEST_FILE.txt) to the web root directory. The file permission is now this:
------------------------------------------------------------
-rw-r--r--+ 1 user-A nginx 266 Apr 1 11:10 TEST_FILE.txt
------------------------------------------------------------
Now, User-B logins via sftp and tries to write to TEST_FILE.txt but can’t because he does not have RW permission (only “R” permission as part of the nginx group).
At this point, I have two options:
* Mask all sftp logins to have UID of nginx and GID of nginx (vi /etc/passwd)
* Constantly run a script (inotify, etc) to change the group permissions to (rw-) on all the files.
How do people handle this when running large/production web servers? I am sure there is an option I have not seen/heard of yet.
On Apr 1, 2016, at 10:43 AM, Matt Flyer via TriLUG <trilug at trilug.org> wrote:
The first thing that jumps out at me is the question of permissions for nginx. I would think it would need only read capability on the directories. I'n one setup I use, I set the directories to group write but the server (user ID) is not part of that group and the files are owned by root. I guess I'm confused about the problem your group changes caused and would be concerned about a security loophole.
As far as file transfers, I'm not really familiar with SFTP, but if the user has ssh access they should be able to use SCP.
Sent from my iPad
> On Apr 1, 2016, at 10:13 AM, Ronald Kelley via TriLUG <trilug at trilug.org> wrote:
>
> Greetings all.
>
> I need to allow remote sftp access to one of our servers for some web development. I have setup a chroot sftp environment (per https://wiki.archlinux.org/index.php/SFTP_chroot) but am running into a permissions dilemma and need some advice.
>
> Everything is working as expected - the user can login via sftp and change to the web server’s root directory. However, since the UID/GID of the remote user (ie: 9801:9801) does not match the web server’s UID/GID (nginx 1504:1504), the remote user can’t write files to the web server directory. If I put the user in the same group as nginx, the UID permissions are wrong and the web server has problems. I was hoping I could fine some sort of UID/GID remapping option for sshd but have not found anything yet.
>
> Short of using nginx’s UID/GID for the remote user in /etc/passwd, how can I get sshd to remap the IDs? What is the proper security fix?
>
> Thanks in advance.
>
> -Ron
> --
> This message was sent to: Matt Flyer <matt at noway2.thruhere.net>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web : http://www.trilug.org/mailman/options/trilug/matt%40noway2.thruhere.net
> Welcome to TriLUG: http://trilug.org/welcome
--
This message was sent to: Ron Kelley <rkelleyrtp at gmail.com>
To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
Unsubscribe or edit options on the web : http://www.trilug.org/mailman/options/trilug/rkelleyrtp%40gmail.com
Welcome to TriLUG: http://trilug.org/welcome
More information about the TriLUG
mailing list