# How do I create a customer with read just accessibility over SSH to a minimal subtree of folders?

I have a Debian web server, and also I intend to offer numerous customers read just accessibility to a subtree of folders on that particular web server. Exists a means to do this without by hand transforming the civil liberties of all documents and also folders?

0
2019-12-02 02:57:08
Source Share
Answers: 3

rssh does specifically that. From pizzashack.org :

rssh is a limited covering for usage with OpenSSH, permitting just scp and/or sftp. It currently additionally consists of assistance for rdist, rsync, and also curricula vitae. As an example, if you have a web server which you just intend to permit customers to replicate documents off of using scp, without giving covering accessibility, you can make use of rssh to do that. For a checklist of systems on which rssh is recognized to function, see the Platform Support Page.

0
2019-12-03 05:47:13
Source

the initial (from openbsd) sshd can do a complete chroot, pricing estimate from sshd_config :

ChrootDirectory

Specifies a path to chroot(2) to after authentication.  This
path, and all its components, must be root-owned directories that
are not writable by any other user or group.  After the chroot,
sshd(8) changes the working directory to the user's home directo-
ry.

The path may contain the following tokens that are expanded at
runtime once the connecting user has been authenticated: %% is
replaced by a literal '%', %h is replaced by the home directory
of the user being authenticated, and %u is replaced by the user-
name of that user.

The ChrootDirectory must contain the necessary files and directo-
ries to support the user's session.  For an interactive session
this requires at least a shell, typically sh(1), and basic /dev
nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4),
arandom(4) and tty(4) devices.  For file transfer sessions using
sftp'', no additional configuration of the environment is nec-
essary if the in-process sftp server is used, though sessions
which use logging do require /dev/log inside the chroot directory
(see sftp-server(8) for details).

The default is not to chroot(2).

0
2019-12-03 05:45:54
Source

If you actually intend to limit them down as high as feasible, I recommend considering a chrooted ssh install. In this way also if they did take care of to burst out their tree they wont have the ability to trawl around the underlying system.

The Debian individuals have an overview readily available on the topic.

0
2019-12-03 04:36:09
Source