3

I'm setting up an SFTP server that several different clients will use.

My main issue is that it's absolutely crucial that employees of one client DO NOT see even the directory names of other clients' directories.

Right now user janedoe gets chroot access to /sftp/janedoe/home. They cannot access outside directories.

I need janedoe to be able to access /sftp/projects/Walmart-ProjectABC and I cannot have janedoe see directory /sftp/projects/Kmart-ProjectXYZ. janedoe will have several colleagues that need to access the same directory, so I cannot just stick that project directory in their home directory.

Greenonline
  • 1,851
  • 7
  • 17
  • 23
Mirth
  • 31

1 Answers1

2

Use bind mounts to construct what each user can see.

For example (under Linux), chroot janedoe to /sftp/janedoe and give her access to the Walmart-ProjectABC project:

mkdir /sftp/janedoe/Walmart-ProjectABC
mount --bind /sftp/projects/Walmart-ProjectABC /sftp/janedoe/Walmart-ProjectABC

This can be a line in /etc/fstab if you want to make all of these static, or a script that runs before switching to the user if you want to make them dynamic.

The directory that is the mount point (/sftp/janedoe/Walmart-ProjectABC) should not be modifiable or movable by the user, to avoid having to handle errors in case the user moves it or somehow creates files in it.

Gilles 'SO- stop being evil'
  • 829,060