0

So there is a user that was created by root, and it pretty much has access to most/all directories on the system, we want to use this user only for ftp via lftp to read a certain file on the server that this user is located, let's call it config-server. so all the other servers, have scripts that will use lftp/ftp to access the config-server using this user to read the desired config file.

As the user and password will be saved on the other servers, we want to restrict this users access to all other unnecessary directories, and no we don't want to restrict the users ftp access, we want to restrict the user itself.

My goal is to do it at once or at least once for each mount point, like configuring his /her access globally once to 000, then go the the desired directory and give him read access to that directory only.

so how can I do this globally? is it possible? I thought I could use recursive chmod/setfacl on all directories/mountpoints while signed in as root, and then as root, give that user access to the config files path? is this a viable solution, or does it have risks. if not, please share your solution.

Note: We have somewhat 74 servers, which nullifies the point of storing the config on each server separately.

EDIT: Server OS is Redhat 6.9 (or later for other servers). Also the access method used in the script would be ftp, but like I said since the user and password is present in the scripts that are on the other servers, we should prevent the user overall access, some one might use ssh, or even direct login, and we can't be held responsible for allowing that to happen, also we have limited access to most of our servers (configuration wise), this is one of the few which we do have the root access and OS is not managed by another team. But we ourselves will need to be able to login to this user ( can't complicate it too much, not every member that is added to the team has good linux/OS knowledge Ironically, right now two new members, trained by me and my ex-colleague in linux, one which is IT student, still didn't know what command is used to switch user, both use right click to copy and paste :| ).

Improve this question
12
  • Check your FTP server's documentation if there is an option to have an user chrooted into a particular directory. That will be probably what you want. Commented May 13 at 14:14
  • Please edit your question and add details about your OS and version. Do I understand correct that this user shall only allow FTP access and not interactive login? One option might be to block login by specifying something like /sbin/nologin as the login shell. Or use an FTP server that allows "virtual" users, see wiki.sharewiz.net/… Commented May 13 at 14:15
  • @Bodo updated the question Commented May 13 at 15:13
  • @raj will check that, but I don't care where this user is logged in, even if it's their home path, Just need to cut off it's access to every where else but one or two directories Commented May 13 at 15:14
  • It is still unclear what you want to achieve. Please make your requirements clear. Why do you "need to be able to login to this user"? What exactly do you have to do as this user? On Linux or UNIX, a user normally has write access to the home directory only, read access to most other locations and no access to security-related files. Depending on the FTP server, there might be settings to be more restrictive for FTP access. What exactly do you mean with "restrict this users access to all other unnecessary directories"? Or what exactly do you consider as "unnecessary directories"? Commented May 13 at 15:29

2 Answers 2

Reset to default
3

That's a whole lot of complicated description. I think what you're asking is this,

We have over 70 servers with a common scheme for user accounts. For a specific account we want to allow it remote access with FTP to just one server ("A") but not to the others. However, we want also scripts on the other servers to be able to transfer files to the server "A" using this same account.

  1. How can we stop the remote user access to servers other than server "A"?
  2. How can we stop the user account being able to access files and directories other than the single file they are permitted to access?

Note:

  • We want to be able to use this user account ourselves
  • The user might log in with ssh or some other scheme that we're not expecting, and we don't want that to work

If so, the solution is not to use the same user account for multiple distinct operations. Don't complicate matters.

  1. Use a separate account for the remote access that's available only on the single permitted server. Ensure that this account runs in a restricted environment ("chroot") and cannot be accessed except through FTP. Although FTP/S or even SFTP would be better.
  2. Use a different account to transfer files between servers
  3. Possibly use yet another account for your own management operations
Improve this answer
3
  • yes, up to a point your interpretation of my question is correct, the common scheme although similar, this user was created for this sole purpose, granting other servers access to this single file on this server, so this user only exists on config-server and nowhere else, also I do get what you say, but confining the users access only to ftp, will have to grant it write via ftp, which makes it unsafe again since it can be accessed through ftp and edit that file from any of the other servers, wouldn't it be unsafe? Commented May 14 at 4:43
  • Also we don't have physical access to these server, we use ssh ourselves to access them, so restricting ssh will effectively make the user unusable directly. I will read on this though, not dismissing it, just stating the parts that I think is contradicting with what we need, unfortunately I can't control who (who might not have enough knowledge) is hired into the team. Commented May 14 at 4:48
  • 1
    Giving the user access via ftp does not necessary mean write access. You can use the configuration controls provided by your ftp server to fine-tune access and make it read only. Or read only except specific files/dirs. Without having more details on your config (what ftp server do you use, for example) I can't provide more advice. As for ssh access, you should restrict ssh access only for that user (for example by giving him /sbin/nologin as shell), not in general, and use another user account for your management activities. Commented May 14 at 8:36
1

Referring to the example you gave in your comment:

I have 5 servers. Servers are A,B,C,D and Z, all servers A,B,C,D will use ftp to get access and read a config file stored on server Z. this file is on this path as an example /opt/scripts/ConfiFileA/configuration.txt , so users will need to have access to this file and only that path, any othe directory inside /opt and /opt/scripts should be offlimit to this user so it can't read or write to them

you should do the following things on server Z:

  1. Restrict the interactive login (eg. ssh) for the user in question, eg. by setting /sbin/nologin as the user's shell.
  2. Configure your ftp server to allow this user to login (despite having no valid shell, this might require some tweaking to your ftp server configuration) and chroot the user to some directory.
  3. For some ftp servers, if the user is chrooted, their access by default becomes read-only in the "main" directory - if it's not the case with your ftp server, you can modify the configuration to make the access read-only.
  4. Make a hard link to the file /opt/scripts/ConfiFileA/configuration.txt in the directory the user is chrooted, and make the scripts on servers A,B,C,D read that file directly from that directory, not from /opt/scripts/ConfiFileA/.

Always consult your ftp server documentation to check how to do all the configuration changes.

As mentioned in the other answer, use another account for your regular maintenance work.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.