Otdfbt

Is there a service that would inform me whenever a new direct route is scheduled from a given airport?

What are 'alternative tunings' of a guitar and why would you use them? Doesn't it make it more difficult to play?

I am not a queen, who am I?

Gastric acid as a weapon

Do you forfeit tax refunds/credits if you aren't required to and don't file by April 15?

What is a Meta algorithm?

Is above average number of years spent on PhD considered a red flag in future academia or industry positions?

How can players work together to take actions that are otherwise impossible?

How to recreate this effect in Photoshop?

If a contract sometimes uses the wrong name, is it still valid?

Is there a "higher Segal conjecture"?

How do I mention the quality of my school without bragging

Bonus calculation: Am I making a mountain out of a molehill?

How discoverable are IPv6 addresses and AAAA names by potential attackers?

G-Code for resetting to 100% speed

Sorting numerically

What is the longest distance a 13th-level monk can jump while attacking on the same turn?

Output the ŋarâþ crîþ alphabet song without using (m)any letters

Is it true that "carbohydrates are of no use for the basal metabolic need"?

Why is "Consequences inflicted." not a sentence?

Proof involving the spectral radius and Jordan Canonical form

Is there a concise way to say "all of the X, one of each"?

Can a non-EU citizen traveling with me come with me through the EU passport line?

Why are there no cargo aircraft with "flying wing" design?

Allow ssh/sftp file up-/download, but disallow changing existing files

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

2

1

I have a linux mint machine which provides a kind of file dump which gets provided via a nginx.

My problem is, that a single user (upload_usr) should be able to place new files/directorys inside one specific folder, but he shouldn't be allowed to replace or change any existing file.

This should work like this:

• put a.txt -> fine


• put a.txt -> disallow


• cat a.txt -> fine


• put b.txt -> fine


• rm a.txt -> disallow

Important is, that an other user which isn't root needs to be able to r/w in this dir.

What would be the easiest way to achieve this?

ssh permissions sftp linuxmint

share|improve this question

asked Apr 10 at 15:15

SnapstromegonSnapstromegon

1132

New contributor

Snapstromegon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

2

1

I have a linux mint machine which provides a kind of file dump which gets provided via a nginx.

My problem is, that a single user (upload_usr) should be able to place new files/directorys inside one specific folder, but he shouldn't be allowed to replace or change any existing file.

This should work like this:

• put a.txt -> fine


• put a.txt -> disallow


• cat a.txt -> fine


• put b.txt -> fine


• rm a.txt -> disallow

Important is, that an other user which isn't root needs to be able to r/w in this dir.

What would be the easiest way to achieve this?

ssh permissions sftp linuxmint

share|improve this question

asked Apr 10 at 15:15

SnapstromegonSnapstromegon

1132

New contributor

Snapstromegon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

I have a linux mint machine which provides a kind of file dump which gets provided via a nginx.

My problem is, that a single user (upload_usr) should be able to place new files/directorys inside one specific folder, but he shouldn't be allowed to replace or change any existing file.

This should work like this:

• put a.txt -> fine


• put a.txt -> disallow


• cat a.txt -> fine


• put b.txt -> fine


• rm a.txt -> disallow

Important is, that an other user which isn't root needs to be able to r/w in this dir.

What would be the easiest way to achieve this?

ssh permissions sftp linuxmint

share|improve this question

asked Apr 10 at 15:15

SnapstromegonSnapstromegon

1132

New contributor

Snapstromegon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

asked Apr 10 at 15:15

SnapstromegonSnapstromegon

1132

New contributor

Snapstromegon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

asked Apr 10 at 15:15

SnapstromegonSnapstromegon

1132

New contributor

Snapstromegon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked Apr 10 at 15:15

SnapstromegonSnapstromegon

1132

New contributor

Snapstromegon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked Apr 10 at 15:15

SnapstromegonSnapstromegon

1132

1 Answer
1

active

oldest

votes

1

(Assuming openssh with sftp-server.)

If you allow SSH then this is nearly impossible. However, if you only allow SFTP:

should be able to place new files/directorys inside one specific
folder

Use ChrootDirectory

For the other requirements -P blacklisted_requests and -u umask should be sufficient. (You can see the request types by running /usr/lib/openssh/sftp-server -Q requests.)

put a.txt -> fine

allow write (allowed by default)

put a.txt -> disallow

Run the sftp-server with -u 0222 and disallow and setstat fsetstat.

cat a.txt -> fine

allow read (allowed by default)

put b.txt -> fine

allow write (allowed by default)

rm a.txt -> disallow

disallow remove (and rmdir?)

TLDR Limit users with ChrootDirectory and run sftp-server with -u 0222 -P remove,rmdir,setstat,fsetstat

share|improve this answer

answered Apr 10 at 16:30

Mark WagnerMark Wagner

15.3k22246

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Maybe he can mix your solution with Match Group and ForceCommand, to force users in group to use SFTP, while keeping ssh enabled.
  
  – JucaPirama
  Apr 10 at 16:49
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes, something like ForceCommand internal-sftp would disable interactive SSH sessions.
  
  – Mark Wagner
  Apr 10 at 17:01
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

Snapstromegon is a new contributor. Be nice, and check out our Code of Conduct.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962450%2fallow-ssh-sftp-file-up-download-but-disallow-changing-existing-files%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

1

(Assuming openssh with sftp-server.)

If you allow SSH then this is nearly impossible. However, if you only allow SFTP:

should be able to place new files/directorys inside one specific
folder

Use ChrootDirectory

For the other requirements -P blacklisted_requests and -u umask should be sufficient. (You can see the request types by running /usr/lib/openssh/sftp-server -Q requests.)

put a.txt -> fine

allow write (allowed by default)

put a.txt -> disallow

Run the sftp-server with -u 0222 and disallow and setstat fsetstat.

cat a.txt -> fine

allow read (allowed by default)

put b.txt -> fine

allow write (allowed by default)

rm a.txt -> disallow

disallow remove (and rmdir?)

TLDR Limit users with ChrootDirectory and run sftp-server with -u 0222 -P remove,rmdir,setstat,fsetstat

share|improve this answer

answered Apr 10 at 16:30

Mark WagnerMark Wagner

15.3k22246

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Maybe he can mix your solution with Match Group and ForceCommand, to force users in group to use SFTP, while keeping ssh enabled.
  
  – JucaPirama
  Apr 10 at 16:49
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes, something like ForceCommand internal-sftp would disable interactive SSH sessions.
  
  – Mark Wagner
  Apr 10 at 17:01
  

  
  
  
  

add a comment | 

1

(Assuming openssh with sftp-server.)

If you allow SSH then this is nearly impossible. However, if you only allow SFTP:

should be able to place new files/directorys inside one specific
folder

Use ChrootDirectory

For the other requirements -P blacklisted_requests and -u umask should be sufficient. (You can see the request types by running /usr/lib/openssh/sftp-server -Q requests.)

put a.txt -> fine

allow write (allowed by default)

put a.txt -> disallow

Run the sftp-server with -u 0222 and disallow and setstat fsetstat.

cat a.txt -> fine

allow read (allowed by default)

put b.txt -> fine

allow write (allowed by default)

rm a.txt -> disallow

disallow remove (and rmdir?)

TLDR Limit users with ChrootDirectory and run sftp-server with -u 0222 -P remove,rmdir,setstat,fsetstat

share|improve this answer

answered Apr 10 at 16:30

Mark WagnerMark Wagner

15.3k22246

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Maybe he can mix your solution with Match Group and ForceCommand, to force users in group to use SFTP, while keeping ssh enabled.
  
  – JucaPirama
  Apr 10 at 16:49
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes, something like ForceCommand internal-sftp would disable interactive SSH sessions.
  
  – Mark Wagner
  Apr 10 at 17:01
  

  
  
  
  

add a comment | 

(Assuming openssh with sftp-server.)

If you allow SSH then this is nearly impossible. However, if you only allow SFTP:

should be able to place new files/directorys inside one specific
folder

Use ChrootDirectory

For the other requirements -P blacklisted_requests and -u umask should be sufficient. (You can see the request types by running /usr/lib/openssh/sftp-server -Q requests.)

put a.txt -> fine

allow write (allowed by default)

put a.txt -> disallow

Run the sftp-server with -u 0222 and disallow and setstat fsetstat.

cat a.txt -> fine

allow read (allowed by default)

put b.txt -> fine

allow write (allowed by default)

rm a.txt -> disallow

disallow remove (and rmdir?)

TLDR Limit users with ChrootDirectory and run sftp-server with -u 0222 -P remove,rmdir,setstat,fsetstat

share|improve this answer

answered Apr 10 at 16:30

Mark WagnerMark Wagner

15.3k22246

share|improve this answer

answered Apr 10 at 16:30

Mark WagnerMark Wagner

15.3k22246

answered Apr 10 at 16:30

Mark WagnerMark Wagner

15.3k22246

answered Apr 10 at 16:30

Mark WagnerMark Wagner

15.3k22246