Give user SCP access to another user’s home directory

scpuser-permissions

We normally use public key logins for our server but a new subscription service is requiring a username and password for SCP access to a user's account (This is Vaultpress – A remote backup utility for WordPress). We have a blog running under UserA at /home/usera/public_html. Vaultpress requires a username and password for SCP access, but we don't want to give them UserA's credentials.

So the question is: How do we go about creating a UserB who can only SCP in and who only has access to UserA's home directory? And how do we ensure that any files written by UserB are editable/owned by UserA?

Best Answer

You can simply use POSIX acl for this. Create user B with it's default group as A (I'm assuming that the default group of user A is group A)

$ useradd -g A B # This creates a new user B with default group A

Now you need to set up the right permissions

$ chmod g+x /home/A # The group member needs execute permission to reach public_html directory
$ find /home/A/public_html -type d -exec chmod g+rwx {} \; # This will give all directories under public_html rwx group permissions
$ find /home/A/public_html -type d -exec chmod g+rw {} \; # This will give all files under public_html rw group permissions
$ sudo -u A -i "umask 002 && echo umask 002 > ~/.bashrc" && sudo -u B -i "umask 002 && echo umask 002 > ~/.bashrc" # This will make sure all future permissions are OK for your purpose

Based on the above setup, B can read and write inside public_html directory. AFAIK, Vaultpress needs write permissions in order to restore the backups. You can remove the write permission if you're not planning to use the auto-restore feature of Vaultpress. On top of this, all the files will be editable by the original user A.

Any file/directory that is created by B will be owned by group A by default. This will share the ownership of those files among users A and B.

Please add a comment if you like me to clarify anything.

Related Topic