How to limit a users SSH access to certain folders

StackOverflow https://stackoverflow.com/questions/22789064

Pregunta

Currently, the project we are working on has a freelance front-end developer involved. As we have never used him before we are looking for a way to limit his access to our servers and files but at the same time let him modify the view files currently on these servers.

The current project (all on one server) is compartmentalised into 6 separate mini sites, all using an MVC structure.

e.g.

  • Mini Site 1 -- Models -- Views -- Controllers

  • Mini Site 2 -- Models -- Views -- Controllers

etc

We need to limit his access to each view folder for each project but nothing else.

We are using Amazon EC2 and are using security groups with a limited IP range. We are unable to allow him to use FTP because that opens us up to more potential issues.

Also we have looked at file and group permissions but we have thousands of files on this server alone.

Any ideas on how this can be achieved with as little footprint as possible, so once he leaves we can remove his access and revert the settings etc.?

¿Fue útil?

Solución

You could use chmod. I assume that your normal users can sudo and modify files at will? Or are they group based? Here are the two approaches you can pick from.

Approach 1:

If your normal employees/users can use sudo, you can chown all the folders so they are owned by root and a new group called programmers by doing chown -R root:programmers /var/www/dir/ This will make dir and everything in it owned by root and the group programmers. Then you would do chown -R 744 /var/www/dir/ . This will make it so that the root user has R/W/X permissions on dir and all folders in it (that is the 7), users in the programmers group would have Read only permissions (the 4), and all other users would have Read only permissions (the last 4).

From there you would go through and the directories you would want him to have access to you would do: chown -R 774 /var/www/dir/front-end/views/ which would give root and all users in programmers group full R/W/X permissions. If you wanted to do it per file, you could do chown 774 /var/www/dir/front-end/views/index.html

For all other users if they wanted to modify a file (let us say they are using vim), they'd need to do sudo vim /var/www/dir/front-end/views/index.html . This would let them pretend to be root and be able to edit regardless of the Other permission (which is that last 4 in the three digit octal).

Approach 2

If they are group based you could make all files owned by root and the group employees (assuming normal users are in that group). Then for the files that you want him to edit (let use say his username is frontdev), you could do chown -R frontdev:employees /var/www/dir/front-end/views/ and then chmod that directory to 774...and you can do the same for individual files. That way all your employees, including you, in the employees group would have full permissions. Root would have permissions on all files and directories...and then you could assign his user as the one-off user in control of the files/dirs you need him to have access to.

You can also look into jailing the user to only authorized directories. Jailkit is a big one. Here is a good tutorial: https://askubuntu.com/questions/93411/simple-easy-way-to-jail-users

Licenciado bajo: CC-BY-SA con atribución
No afiliado a StackOverflow
scroll top