I want to setup a jailed SFTP account for a subfolder of another user's home folder, but want the owner of everything in that subfolder to stay the same, including new files and folders uploaded and created by the sftp user, while still allowing access to the files and folders of that subfolder as if the SFTP user was the parent user.
rawny
bawb-sftp
/home/rawny <- rawny owns this
/home/rawny/sftp <- rawny owns this too, but bawb-sftp can upload to it, edit files, etc
bawb-sftp uploads a file
/home/rawny/sftp/lol.txt
rawny should still own the file, as if he made it in the first place, even though bawb-sftp was the one that uploaded it.
Basically I guess I'm asking for an sftp jail that acts as a highly limited passthrough/puppet for another user?
Best Answer
Assuming Linux, using a group is one way to go here. Create a group containing both
rawnyandbawb-sftp, and usechgrp thatgroup /home/rawny/sftp(assuming starting with an empty directory, add an -R for recursive otherwise).Next, set both suid and sgid bits on the directory, and give both user and group rwx access:
chmod 677? /home/rawny/sftp(replace the ? with whatever you want world access to be. Common choices are 5 (rx) 1 (x) and 0, depending on whether you want anyone else to access this at all or not.) If the folder isn't empty, do not use -R, you'll need to apply the suid/sgid/x bits to each folder individually.The suid/sgid bits, when used on directories in Linux, cause newly created files and subdirectories to automatically be owned/grouped the same as the directory (subdirectories will also be suid/sgid) so all files created under
/home/rawny/sftpwill be owned byrawnyand inthatgroupsobawb-sftpcan access them. Note thatumaskmay need to be modified to create files with group-write permissions (see here, but use with umask 00? where ? is 2 6 or 7 matching the choices earlier)