Find the answer to your Linux question:
Results 1 to 4 of 4
Current setup: Ubuntu with internal-sftp. Users are jailed to /data/ftp/%u User vendor1 needs to access upload directory in vendor2's location (same system). Vendor2 cannot be able to view Vendor1's data. ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2011
    Posts
    2

    Jailed FTP - need to access separate directory outside of jail.


    Current setup:

    Ubuntu with internal-sftp.

    Users are jailed to /data/ftp/%u

    User vendor1 needs to access upload directory in vendor2's location (same system).

    Vendor2 cannot be able to view Vendor1's data. Vendor1 will be accessing 2's data and writing to that directory as needed.

    There are numerous other vendors within /data/ftp and attempting to change match group to a different chrootdirectory doesn't seem to be doing the trick.

    Ideas?

  2. #2
    Linux Newbie Nagarjuna's Avatar
    Join Date
    Feb 2011
    Posts
    122
    Hello, adambelial. Welcome to the forums.

    If I'm understanding your situation correctly, I believe you could achieve this with a simple symbolic link and some permission editing. If your not familiar with sym-links, think of a fancy Windows shortcut.

    So, try and create a symbolic link from vendor1's jailed directory to vendor2's:

    Code:
    ln -s /data/ftp/vendor2 /data/ftp/vendor1/vendor2_link
    Now vendor1 can access '/data/ftp/vendor2' from the 'vendor2_link' symbolic link in his jailed directory. Note that vendor2 will have no access to vendor1's directory.

    If you want vendor1 to be able to write in vendor2's directory, you'll need to work with permissions a bit. There are a few ways of doing this. I recommend using groups:

    Create group and add vendors:
    Code:
    groupadd ftpvendors 
    usermod -a -G ftpvendors vendor1
    usermod -a -G ftpvendors vendor2
    Set directory ownership and permissions:
    Code:
    chgrp ftpvendors /data/ftp/vendor2
    chmod 770 /data/ftp/vendor2
    Now vendor1 can write in vendor2's directory. You may want to edit the permissions on files already existing in the directory so vendor1 can access them. You can cherry-pick only certain files, or you can just blast 'em all with the permissions!

    Code:
    chmod -R 770 /data/ftp/vendor2
    You should be good to go after this. Let me know if you run into any problems.
    “Things derive their being and nature by mutual dependence and are nothing in themselves.”

  3. #3
    Just Joined!
    Join Date
    Mar 2011
    Posts
    2
    Hello Nagarjuna and thank you for the assistance.

    I completely comprehend the instructions you included and appreciate the help.

    The issue lies in using sftp through sshd and its apparent inability to traverse using symbolic links. Example : WinSCP and Filezilla will attempt to download the symlink as a file and then complain about UTF-8 not being enabled.

    One method I have tried and I know works (But is rather not elegant) is to create another clause in my sshd_config:


    #Match user Vendor1
    #ChrootDirectory /var/www/extendedaccess/%h
    #X11Forwarding no
    #AllowTcpForwarding no
    #ForceCommand internal-sftp

    #Match user Vendor2
    #ChrootDirectory /var/www/extendedaccess/%u
    #X11Forwarding no
    #AllowTcpForwarding no
    #ForceCommand internal-sftp

    Which will give Vendor1 access to Vendor2's directory and I can control access permissions to Vendor2's dir quite easily. Secondary clause permitting normal jailed access for Vendor2 without knowledge of Vendor1's directory structure.

    It's inelegant but it seems to work. I'd rather have some input from the community and see if there is something I am missing versus this sort of go-around that I have come up with.

  4. #4
    Linux Newbie Nagarjuna's Avatar
    Join Date
    Feb 2011
    Posts
    122
    Ahh, I see..

    Well, I do have one little idea that might work, we'll just have to test it out and see. That is if you haven't tried it already.

    Perhaps we can use the faithful mount command's bind feature:

    Code:
    mkdir -p /data/ftp/vendor1/vendor2_link
    mount --bind /data/ftp/vendor2 /data/ftp/vendor1/vendor2_link
    The idea is sort of similar to a symbolic link. Since kernel 2.4, mount is able to bind preexisting mount points (or normal, everyday files/directories) multiple times to other locations of the file-system. This way vendor1 has vendor2's directory mounted inside of his as vendor2_link. With this method, vendor2 should have no way to get inside of vendor1's home.

    If it does work, simply add it to your fstab so that it auto-mounts at boot time:

    Code:
    /data/ftp/vendor2 /data/ftp/vendor1/vendor2_link bind defaults,bind 0 0
    It's an idea.. I hope it helps. Let me know how it goes!
    Last edited by Nagarjuna; 04-01-2011 at 09:03 PM.
    “Things derive their being and nature by mutual dependence and are nothing in themselves.”

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •