[TriLUG] Proper way to allowing remote sftp to nginx web server

Don Jerman via TriLUG trilug at trilug.org
Fri Apr 1 11:30:29 EDT 2016 

The files are all world-readable?  So make a new group like wwwcontrib,
assign that group to all users and modifiable files with group rw and don't
make nginx a group member.
nginx can still read them with world permissions.  For items
not-to-be-touched keep them in the nginx group instead.

On Fri, Apr 1, 2016 at 11:22 AM, Ronald Kelley via TriLUG <trilug at trilug.org
> wrote:

> Thanks Matt.
>
> Here is the issue:
>
> User-A logins via sftp and writes a file (TEST_FILE.txt) to the web root
> directory.  The file permission is now this:
>
> ------------------------------------------------------------
> -rw-r--r--+ 1 user-A nginx 266 Apr  1 11:10  TEST_FILE.txt
> ------------------------------------------------------------
>
> Now, User-B logins via sftp and tries to write to TEST_FILE.txt but can’t
> because he does not have RW permission (only “R” permission as part of the
> nginx group).
>
> At this point, I have two options:
> * Mask all sftp logins to have UID of nginx and GID of nginx (vi
> /etc/passwd)
> * Constantly run a script (inotify, etc) to change the group permissions
> to (rw-) on all the files.
>
> How do people handle this when running large/production web servers?  I am
> sure there is an option I have not seen/heard of yet.
>
>
>
>
>
> On Apr 1, 2016, at 10:43 AM, Matt Flyer via TriLUG <trilug at trilug.org>
> wrote:
>
> The first thing that jumps out at me is the question of permissions for
> nginx.  I would think it would need only read capability on the
> directories.  I'n one setup I use, I set the directories to group write but
> the server (user ID) is not part of that group and the files are owned by
> root.  I guess I'm confused about the problem your group changes caused and
> would be concerned about a security loophole.
>
> As far as file transfers, I'm not really familiar with SFTP, but if the
> user has ssh access they should be  able to use SCP.
>
> Sent from my iPad
>
> > On Apr 1, 2016, at 10:13 AM, Ronald Kelley via TriLUG <trilug at trilug.org>
> wrote:
> >
> > Greetings all.
> >
> > I need to allow remote sftp access to one of our servers for some web
> development.  I have setup a chroot sftp environment (per
> https://wiki.archlinux.org/index.php/SFTP_chroot) but am running into a
> permissions dilemma and need some advice.
> >
> > Everything is working as expected - the user can login via sftp and
> change to the web server’s root directory.  However, since the UID/GID of
> the remote user (ie: 9801:9801) does not match the web server’s UID/GID
> (nginx  1504:1504), the remote user can’t write files to the web server
> directory.  If I put the user in the same group as nginx, the UID
> permissions are wrong and the web server has problems.  I was hoping I
> could fine some sort of UID/GID remapping option for sshd but have not
> found anything yet.
> >
> > Short of using nginx’s UID/GID for the remote user in /etc/passwd, how
> can I get sshd to remap the IDs?  What is the proper security fix?
> >
> > Thanks in advance.
> >
> > -Ron
> > --
> > This message was sent to: Matt Flyer <matt at noway2.thruhere.net>
> > To unsubscribe, send a blank message to trilug-leave at trilug.org from
> that address.
> > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> > Unsubscribe or edit options on the web    :
> http://www.trilug.org/mailman/options/trilug/matt%40noway2.thruhere.net
> > Welcome to TriLUG: http://trilug.org/welcome
>
> --
> This message was sent to: Ron Kelley <rkelleyrtp at gmail.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  :
> http://www.trilug.org/mailman/options/trilug/rkelleyrtp%40gmail.com
> Welcome to TriLUG: http://trilug.org/welcome
>
> --
> This message was sent to: djerman at pobox.com <djerman at pobox.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  :
> http://www.trilug.org/mailman/options/trilug/djerman%40pobox.com
> Welcome to TriLUG: http://trilug.org/welcome
>

More information about the TriLUG mailing list