0

I am running Ubuntu 22.04.3 with an sFTP server configured through SSHD. I have several user home directories each with a dropoff and a pickup folder inside of them. While my admin user is able to navigate the server and view the contents of any directory. The admin is unable to add or remove any files from the other users directories. The aforementioned pickup and dropoff directories are owned by root and the group is marked as 'sftp'. This sftp group contains all of the users that I wish to have accessing my server and picking up/dropping off files. My admin user is not part of the sftp group. When I add the admin to the SFTP group, I am no longer able to access the server as the admin. When the admin is not part of the group, I am able to access the server but am unable to add/remove files from directories belonging to the sftp group.

My sshd.conf is as follows:

AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
PasswordAuthentication yes

Match group sftp
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

Any guidance will be much appreciated.

Edit 1:

ls -ld pickup shows drwxrwxr-x 2 root sftp 4096 Dec 18 16:22 pickup

Edit 2:

I am using WinSCP and FileZilla to connect to the server. I have a user that is not familiar with terminal usage and needs to send files to and from clients. This admin account can currently view all files on the server but cannot add or remove any files (such as .xlsx). I am not going to give someone with no terminal experience or understanding of what SFTP is total access and control over the server. That would be unintelligent. What I am trying to do is create an account for myself for testing. So that I know what permissions and properties to grant this account before giving it to my user.

As it stands the account can view files in a directory such as /home/client1/dropoff but cannot add or remove files from the dropoff directory. I need the account to be able to navigate through /home/ and into all of the client directories, and sub-directories, and add or remove files at will. Currently my client users can only access their home directory /client1/ and the corresponding sub-directories. They can add or remove files with no problem as the clients accounts are members of a 'sftp' group and so are the sub-directories.

I have tried adding this admin account to the sftp group, but when I do that I am no longer able to connect to the server via WinSCP or FileZilla. I have tried changing the Protocol options for the SFTP Environment settings from 'Default' to 'sudo su -c /bin/sftp-server' within WinSCP but this gives me the error Cannot initialize SFTP protocol. Is the host running an SFTP server? which I know it is because when I examine the server and protocol information the File transfer protocol is labeled 'SFTP-3'.

The groups my admin account belongs to are as follows:

sudo adm cdrom dip plugdev lxd ftpadmin

11
  • Please add ls -ld pickup dropoff to your question, replacing pickup and dropoff appropriately. Also, with respect to this output please confirm the group that your users are in Commented Dec 19, 2023 at 16:58
  • "The user is unable to add or remove any files from the other users directories" - can they access files in these directories? Commented Dec 19, 2023 at 17:00
  • You realise that your directive ChrootDirectory /home/%u locks each user who is a member of the sftp group into their own home directory, and it will be impossible for them to access anyone else's home directory? Commented Dec 19, 2023 at 17:01
  • @ChrisDavies I have users locked to their home directory on purpose. I wouldn't want to give an outside user access to the entire server. The admin is able to access files but not add or remove them. ls -ld pickup comes back with drwxrwxr-x 2 root sftp 4096 My issues isn't with an sftp user adding or removing files, it's with my admin. I want the admin to be able to delete old files and add new ones for my end users to pickup. Commented Dec 19, 2023 at 17:52
  • That's not what your question appeared to say. "While my admin user is able to navigate the server and view the contents of any directory. The user is unable to add or remove any files from the other users directories." - this says to me that you're happy the admin can perform administrative actions but the user is unable to do things (that they should be able to do). Commented Dec 19, 2023 at 18:01

1 Answer 1

1

Based on the comments, what you call "admin user" should rather be called something like a "FTP/SFTP janitor user".

You should create a group for this purpose, and make both the "admin user" and the users that have pickup/dropoff directories members of that group.

The sftp group is not suitable for this purpose, because the Match clause in the sshd_config file restricts members of that group to their home directories and SFTP-only access. Obviously you don't want that to happen to the "admin user", because they would then not be able to do the job of managing the pickup/dropoff directories.

The pickup/dropoff directories should be owned by the respective user, and chgrp'ed to this new group. Then you should set a chmod g+swx to the pickup/dropoff directory: this will cause any new files dropped in by the pickup/dropoff user to assume the group ownership of the new group, and will allow members of the new group that can access the directory (i.e. the pickup/dropoff user themselves, and the admin user) read/write access.

The admin user should be a member of the new group, but not of the sftp group.

After the permissions are set in this manner, you could remove the powerful sudo and adm group memberships from any non-command-line-savvy admin accounts.

If you want to restrict the admin user to SFTP access only (because you said they are unfamiliar with command line), then you might write a new Match block to sshd_config for admin users, located after the Match group sftp block:

Match group <new group>
  X11Forwarding no
  AllowTCPForwarding no
  ForceCommand internal-sftp

This prevents using the admin user account for command-line access, making it strictly a SFTP-based administration account for pickup/dropoff directories. Since this setup is based on group memberships, you can later add new pickup/dropoff admin accounts by simply creating a user and adding them to this new group.

2
  • Thank you. I'd just started writing an answer that (basically) says much the same thing. Commented Dec 20, 2023 at 11:08
  • Thank you 1000 times. I have been trying to accomplish this for months and just kept coming back whenever I had time. Everything is working as intended now. Commented Dec 20, 2023 at 15:41

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.