Skip navigation

SHH file permissions

335 Views 10 Replies Latest reply: May 5, 2012 8:57 PM by gracoat RSS
StevieG Calculating status...
Currently Being Moderated
May 3, 2012 3:27 PM

I am trying to create a SSH server to host large file for my clients to download. I have enabled SSH and created a user "ftpuser" and things seem to be running fine. My problem is this user can see all the files and folders in /

 

I only what this user to have access to a specific folder and not have read access to ANYTHING else.

 

How can I do this?

iMac 21.5" (late 2009), Mac OS X (10.6.4), 8gb RAM, 1TB Hdd
  • Linc Davis Level 10 Level 10 (107,390 points)
    Currently Being Moderated
    May 3, 2012 3:39 PM (in response to StevieG)

    Do you want an FTP server or an SSH server?

  • Linc Davis Level 10 Level 10 (107,390 points)
    Currently Being Moderated
    May 3, 2012 4:16 PM (in response to StevieG)

    I think what you're trying to do is very unwise. Host the files on a publicly-accessible server, not on your personal workstation.

     

    However, if you're determined to do it anyway, I can give you only general guidelines.

     

    You'll need either a static IP address from your ISP or a dynamic domain name for your gateway. The server will need a fixed IP address on the LAN --- not a DHCP address. Forward TCP port 22 to the server.

     

    Next, you'll need to add some directives to /etc/sshd_config. Uncomment the following line, if it's commented:

     

    Subsystem sftp /usr/libexec/sftp-server
    

     

    Then add something like this:

     

    Match User user
        ChrootDirectory     path
        AllowTCPForwarding  no
        X11Forwarding       no
        ForceCommand        /usr/libexec/sftp-server
    

     

    where user is the name of the account the clients will log in as, and path is the directory containing the files you want to distribute. See the sshd_config(5) man page for details. Make sure that read-only permissions for user are set for path and all its contents -- unless, of course, you want the clients to be able to make changes, in which case the permissions will need to be different.

     

    There are other details you'll need to decide, such as password vs. public-key authentication, GSSAPI, etc.

     

    Restart sshd and test.

  • Linc Davis Level 10 Level 10 (107,390 points)
    Currently Being Moderated
    May 3, 2012 4:59 PM (in response to StevieG)

    I dont use Lion Server, so I don't give advice about it. I'll ask the moderators to move this thread to the proper forum where you'll be more likely to get the help you need.

  • gracoat Level 3 Level 3 (645 points)
    Currently Being Moderated
    May 3, 2012 10:05 PM (in response to StevieG)

    Why not use webdav?

    Set up the share in Server.app and make the share accessible through webdav.  Set the permissions here as well.

     

    On the client workstation, connect to the server by clicking "Go" then select "Connect to server"

    For the address you type:

    http://server.example.com/foldername

     

    If the folder is shared securely using ssl then use https://server.example.com/foldername

     

    If you don't know what ssl is or if it's enabled, then you probably can just use the first example.

     

    I wouldn't use ssh since having access to your computer with this method allows all kinds of commands etc.  In fact, technically, if a user could successfully authenticate to your computer using ssh, they could execute ANY command that you can perform as a user that's logged in to your computer normally.  For exmpale, your ssh'd person might as well be sitting in front of your computer.

    HTH

     

    -Graham

  • gracoat Level 3 Level 3 (645 points)
    Currently Being Moderated
    May 4, 2012 3:37 PM (in response to StevieG)

    Sure will.  It runs on Port 80.

    That means that if you already have a website that's available from outside your network, then no additional configuration will be needed. (in terms of port forwarding or address translation)

  • gracoat Level 3 Level 3 (645 points)
    Currently Being Moderated
    May 5, 2012 8:57 PM (in response to StevieG)

    Not a stupid question!  It's pretty easy if they're running Vista or newer.  I think XP needs a download from MS to allow for ssl connections, but here's how with vista and 7.

     

    Click your start menu.

    Click Computer

    Click the Map Network Drive button at the top of the window.

    Select a drive letter of your choice. 

    In the address field type https://server.example.com/webdav/sharename (where sharename is the name of the folder that you're sharing)

    Click the checkbox that says: "Connect using different credentials"

    Click Finish and enter your credentials.

    It should connect!

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.