File and Directory rights for a User

6 posts / 0 new
Last post
#1 Thu, 11/07/2019 - 13:48
sebholmes

File and Directory rights for a User

I have a newly setup server that is dedicated to hosting scientific data files. The files are being uploaded, currently manually (but it will be automatically in future) by a very competent user.

The main consumer of these files is, frankly, a liability and so I'm keen to restrict his access only to the directory that the files are sitting in just because he's perfectly capable of deleting anything!

He will be getting access using WinSCP.

How do I set his rights so that all he can see (and screw up) is the folder/directory that I want him to see and no other? Is that do-able within Virtualmin/Webmin or do I have to do it through Linux (which I'm pretty weak at)?

Thu, 11/07/2019 - 13:56
Fri, 11/08/2019 - 02:57
sebholmes

Thanks Dibs. Helpful, but not quite there I'm afraid.

I created the user with its home directory set to the directory that I want to give access to, and that part worked fine. I logged in using WinSCP and got to the right directory first time. So far so good. The second step is to impose the restriction (according to Eric in https://virtualmin.com/node/13895) but when I went to do that, I get:

Starting proftpd (via systemctl): proftpd.serviceJob for proftpd.service failed because the control process exited with error code. See "systemctl status proftpd.service" and "journalctl -xe" for details. failed!

I ran the systemctl command and got this:

[seb@data ~]# systemctl status proftpd service Unit service.service could not be found. ‚óŹ proftpd.service - LSB: Starts ProFTPD daemon Loaded: loaded (/etc/init.d/proftpd; generated) Active: failed (Result: exit-code) since Fri 2019-11-08 07:17:24 GMT; 17min ago Docs: man:systemd-sysv-generator(8) Process: 4978 ExecStop=/etc/init.d/proftpd stop (code=exited, status=0/SUCCESS) Process: 5018 ExecStart=/etc/init.d/proftpd start (code=exited, status=1/FAILURE)

Nov 08 07:17:24 example.com systemd[1]: Starting LSB: Starts ProFTPD daemon... Nov 08 07:17:24 example.com proftpd[5018]: * Starting ftp server proftpd Nov 08 07:17:24 example.com proftpd[5018]: 2019-11-08 07:17:24,461 example.com proftpd[5036]: mod_dso/0.5: module 'mod_tls.c' already loaded Nov 08 07:17:24 example.com proftpd[5018]: 2019-11-08 07:17:24,464 example.com proftpd[5036]: mod_dso/0.5: module 'mod_sftp.c' already loaded Nov 08 07:17:24 example.com proftpd[5018]: 2019-11-08 07:17:24,467 example.com proftpd[5036]: warning: "example.com" address/port (136.144.201.186:21) already in use by "Debian" Nov 08 07:17:24 example.com proftpd[5018]: 2019-11-08 07:17:24,467 example.com proftpd[5036]: fatal: : relative path not allowed in non- sections on line 195 of '/etc/proftpd/proftpd.conf' Nov 08 07:17:24 example.com proftpd[5018]: ...fail! Nov 08 07:17:24 example.com systemd[1]: proftpd.service: Control process exited, code=exited status=1 Nov 08 07:17:24 example.com systemd[1]: proftpd.service: Failed with result 'exit-code'. Nov 08 07:17:24 example.com systemd[1]: Failed to start LSB: Starts ProFTPD daemon. [seb@data ~]#

I'm now out of my depth here. All input most welcome!

Fri, 11/08/2019 - 03:40
Dibs

Set the directory back to default (if you don't know what it was, you can always create another user and see what that one has) - and see if that resolves the error. If it does - then we know that proftp doesn't like either relative paths or possibly how you've entered it.

EDIT: Looks like that might only work for the root user - https://www.virtualmin.com/comment/754230#comment-754230 the following links might be worth reading

https://www.virtualmin.com/node/14074 https://www.virtualmin.com/node/32952 https://virtualmin.com/node/9379

and possibly do a serach on the forums and see if someone wanted to do what you are doing, bound be have been someone.

Fri, 11/08/2019 - 05:23
sebholmes

Thanks.

I have checked out the links above and no real joy. I then spent ages trawling through the forums and no luck there either. I'm finding it very hard to believe that I'm asking something unusual.

Just in case anyone new reads this, what I want to do is to restrict a user's access to a single data directory and hide everything else on the server from that user other than the very basic r/w functionality that they need to be able to log in and out. I want to be able to give them full access to that directory (FTP/SSH/SFTP, whatever) but no access to anything else. I can't be the first to want to do that and it seems to me very unlikely that the functionality doesn't exist, but I suspect that I'm not phrasing the question correctly and so I'm not finding the info I need.

All input most welcome!

Fri, 11/08/2019 - 05:32
Dibs

If you create a new user, you can lock them to their "home" directory - I do recall reading that. Admittedly the directory name might not quite be what you want - but should work. Or does it not?