I have setup an SFTP server using OpenSSH. The home directory for users is /sftp/%user. I'm mounting an S3 bucket at /sftp
using S3FS. The problem is that S3FS cascades user permissions down through it's directory structure, meaning:
- I can configure files at
/sftp/*
to have these permissionsdrwxr-xr-x 1 root root
which allow SFTP users to connect, but they cannot write to their home directories because they don't own them.
s3fs nwd-sftp /sftp/ -o iam_role=sftp-server -o allow_other -o stat_cache_expire=10 -o enable_noobj_cache -o enable_content_md5 -o umask=022
- I can configure files at
/sftp/*
to have permissionsdrwxrwxr-x 1 root sftpusers
so they can (in theory) write to their home directories, but the SSH protocol won't let them login because it considers these permissions incorrect (allowing members of a group write access). I can't assign ownership on a per user basis with S3FS.
s3fs nwd-sftp /sftp/ -o iam_role=sftp-server -o allow_other -o stat_cache_expire=10 -o enable_noobj_cache -o enable_content_md5 -o umask=002 -o gid=501
Is there a solution I'm overlooking with the OpenSSH SFTP configuration that would allow users to login and write to their directories? They are CHRooted to their home directory, so I see no reason I can't give read/write permissions to all SFTP user home directories for the group sftpusers
that they all share.
Is it possible to bypass SSH's issues here? What security flaws am I exposing in doing so?
0 Answers