I am able to successfully setup a SFTP user group and SFTP users using the below script on an AWS EC2 instance. While I was able to restrict SFTP users in the
sftp_users group from accessing one other’s directories and their contents, I now need to be able to create a
admin SFTP user who can access and browse through all the contents for all SFTP folders and move stuff around. Is this possible? Like I have stated, my requirement would be to create individual SFTP users with access to ONLY their individual folders and to create a admin / super user who can access all the users sftp folders via SFTP. It is okay if the admin user has access to all file system along with SFTP users folders. I tried researching online with my limited linux skills in this context, but could not arrive at anything.
echo "`date` Creating SFTP directory...." mkdir -p /data/sftp echo "`date` updating sshd_config" sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config echo 'Match Group sftp_users' >> /etc/ssh/sshd_config echo 'ChrootDirectory /data/sftp' >> /etc/ssh/sshd_config echo 'ForceCommand internal-sftp' >> /etc/ssh/sshd_config echo "`date` Set permissions to 701 for all folders on the efs mount" chmod -R 701 /data echo "`date` Set owner to root:root for all folders on the efs mount" chown -R root:root /data echo "`date` adding sft_users group" groupadd sftp_users echo "`date` restarting sshd" systemctl restart sshd ###### Below is my user creation script that I eventually use to create individual SFTP users ###### echo "`date` creating /usr/local/bin/create_sftp_user.sh" echo -e '#!/bin/bashnnUSER_NAME=$1nuseradd -g sftp_users -d /$USER_NAME -s /sbin/nologin $USER_NAMEn' > /usr/local/sbin/create_sftp_user.sh echo -e 'passwd $USER_NAMEnmkdir -p /data/sftp/$USER_NAMEn' >> /usr/local/sbin/create_sftp_user.sh echo -e 'chown $USER_NAME:sftp_users /data/sftp/$USER_NAMEn' >> /usr/local/sbin/create_sftp_user.sh echo -e 'chmod 700 /data/sftp/$USER_NAMEn' >> /usr/local/sbin/create_sftp_user.sh chmod +x /usr/local/sbin/create_sftp_user.sh
You should be able to achieve this by using File Access Control Lists (FACLs). You could, for example create a group “sftpadmin” that only the admin user is a member of, then force all files in /data/sftp to be owned (and writable) by group “sftpadmin”.
How to use FACLs is covered on the Unix & Linux StackExchange: