I would like to achieve the following with OpenSSH's internal-sftp, chroot and Match directive:
Users belonging to group sftpuser should have read and write access to /srv/sftp/{username} (or similar, certain tricks to present a nicer looking directory structure to the chrooted user might be taken)
Users belonging to group sftpadmin should have read and write access to /srv/sftp and subdirectories, i.e. all the other user directories.
All the users belonging to either sftpadmin or sftpuser are sftp-only users. So no need to worry about shells etc.
/srv/sftp needs to be owned by root for the sftpadmin users to be chrooted to that folder. /srv/sftp/{username} also needs to be owned by root to chroot the sftpuser users to that that folder.
How should I best grant the sftpadmin users access to the root owned /srv/sftp/{username} directories?
Could I just use ACL on top of the root permissions?
Best Answer
I ended up doing this:
/srv/sftp/testadmin (home dir of the testadmin user)
/srv/sftp/testuser/testuser (home of the testuser user)
The sftpadmin group I chrooted to /srv/sftp:
and the sftpuser group I chrooted to /srv/sftp/{username} and changed their starting directory to /srv/sftp/{username}/{username} (which is just /{username} seen from the chroot):
Finally I gave the sftpadmin group rwx on the /srv/sftp/testuser/testuser dir:
This roughly accomplished what I wanted. The sftpadmin group can read, write and change working directory to anything beneath /srv/sftp (including the "home dirs" of the sftpuser group). The sftpuser group can only write to /srv/sftp/{username}/{username} directory and not see the other sftpuser home dirs since they are located outside the chroot for the sftpuser group.
The only think undesirable about this is /srv/sftp/{username}/{username} structure. A user of the sftpuser group can do cd .. and get back to /srv/sftp/{username} where said user can do nothing useful except change back to /srv/sftp/{username}/{username}. The changing directory to /srv/sftp/{username} could be prevented by removing the execute bit for /srv/sftp/{username} but that would also prevent the sftpadmin group for changing to that directory and hence effectively preventing them from listing files etc. in the /srv/sftp/{username}/{username} dir.