Arch Linux

harshad1

Member

Registered: 2013-09-02

Posts: 20

Force permissions for file sharing (acl)

Hi all

I'm trying to set up a server so that multiple users can share files over sftp and ssh.

To do this I did the following:
0. Mounted an ext4 partition with acl enabled
1. Created a folder with an appropriate group (say 'sharing')
2. Set the gid flag on it (chmod g+s)
3. Added all the users to the sharing group
4. Setup acl on the folder :
      setfacl -dm u::rwX,g::rwX,o::- /path/to/folder
      setfacl -dm m::rwX /path/to/folder
      setfacl -dm g:sharing:rwX /path/to/folder

Now, whenever I create files or folders inside my shared folder they have the correct permissions (660) and the sharing group. However, when the files are *transferred* in via sftp, scp, unison etc the acl permissions do not take hold.

With unison I've tried setting perms=0 and dontchmod=true but this just gives all files -rw------- permissions.

SFTP mirrors the original permissions but is 'masked' by acl: i.e. a 666 file is set to 660 (as expected) while a 644 file becomes 640 (what i want is for it to be set to 660)

Is there any way to force permissions (with acl or some other tool) on files added or transferred into a folder regardless of the software doing the transferring? Ideally, I'd like it if this were something that happened completely on the server and did not depend on me configuring client tools.

Thanks!

Last edited by harshad1 (2014-05-22 15:09:10)

rune0077

Member

Registered: 2009-04-11

Posts: 135

Re: Force permissions for file sharing (acl)

Change the umask of the sftp process.

In your sshd_config there's a line that says:

Subsystem       sftp    /usr/lib/ssh/sftp-server

Append -u 0002 (or whatever umask you want) to the end. Like this:

Subsystem       sftp    /usr/lib/ssh/sftp-server -u 0002

harshad1

Member

Registered: 2013-09-02

Posts: 20

Re: Force permissions for file sharing (acl)

Change the umask of the sftp process.

In your sshd_config there's a line that says:

Subsystem       sftp    /usr/lib/ssh/sftp-server

Append -u 0002 (or whatever umask you want) to the end. Like this:

Subsystem       sftp    /usr/lib/ssh/sftp-server -u 0002

First thing I tried. Doesn't seem to work.

I should mention that I'm using sftp-chroot and I've used mount -bind to allow sftp users access the the (shared) data folder from with the chroot.
I don't know how this might affect the application of umask.. which i'm enabling by:

    ForceCommand internal-sftp -u 0007

I was really hoping i'd be able to force this on the file-system level with acl or something similar

harshad1

Member

Registered: 2013-09-02

Posts: 20

Re: Force permissions for file sharing (acl)

I've been doing some research and it appears bindfs (http://bindfs.org/) may be a viable solution.

However, it also appears that this will force a performance penalty.