Admin user for linux based SFTP Server

Posted on

Problem :

I am able to successfully setup a SFTP user group and SFTP users using the below script on an AWS EC2 instance. While I was able to restrict SFTP users in the sftp_users group from accessing one other’s directories and their contents, I now need to be able to create a admin SFTP user who can access and browse through all the contents for all SFTP folders and move stuff around. Is this possible? Like I have stated, my requirement would be to create individual SFTP users with access to ONLY their individual folders and to create a admin / super user who can access all the users sftp folders via SFTP. It is okay if the admin user has access to all file system along with SFTP users folders. I tried researching online with my limited linux skills in this context, but could not arrive at anything.

echo "`date` Creating SFTP directory...."
mkdir -p /data/sftp

echo "`date` updating sshd_config"
sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config
echo 'Match Group sftp_users' >> /etc/ssh/sshd_config
echo 'ChrootDirectory /data/sftp' >> /etc/ssh/sshd_config
echo 'ForceCommand internal-sftp' >> /etc/ssh/sshd_config

echo "`date` Set permissions to 701 for all folders on the efs mount"
chmod -R 701 /data

echo "`date` Set owner to root:root for all folders on the efs mount"
chown -R root:root /data

echo "`date` adding sft_users group"
groupadd sftp_users

echo "`date` restarting sshd"
systemctl restart sshd

###### Below is my user creation script that I eventually use to create individual SFTP users ######
echo "`date` creating /usr/local/bin/"
echo -e '#!/bin/bashnnUSER_NAME=$1nuseradd -g sftp_users -d /$USER_NAME -s /sbin/nologin $USER_NAMEn' > /usr/local/sbin/
echo -e 'passwd $USER_NAMEnmkdir -p /data/sftp/$USER_NAMEn' >> /usr/local/sbin/
echo -e 'chown $USER_NAME:sftp_users /data/sftp/$USER_NAMEn' >> /usr/local/sbin/
echo -e 'chmod 700 /data/sftp/$USER_NAMEn' >> /usr/local/sbin/
chmod +x /usr/local/sbin/

Solution :

You should be able to achieve this by using File Access Control Lists (FACLs). You could, for example create a group “sftpadmin” that only the admin user is a member of, then force all files in /data/sftp to be owned (and writable) by group “sftpadmin”.

How to use FACLs is covered on the Unix & Linux StackExchange:

Leave a Reply

Your email address will not be published.