[CentOS] how to control sftp's user file folder

Wed Mar 2 01:15:26 UTC 2011
Nico Kadel-Garcia <nkadel at gmail.com>

On Tue, Mar 1, 2011 at 7:58 AM, Ray Van Dolson <rayvd at bludgeon.org> wrote:
> On Tue, Mar 01, 2011 at 07:53:21AM -0500, Nico Kadel-Garcia wrote:
>> On Mon, Feb 28, 2011 at 10:53 AM, Eero Volotinen <eero.volotinen at iki.fi> wrote:
>> > 2011/2/28 Yang Yang <dapiyang at gmail.com>:
>> >> hi,i have a question want to ask
>> >>
>> >> if i add a user like:
>> >>
>> >> useradd test
>> >> groupadd test -g www
>> >>
>> >> and how to control user test only can see and write only folder(like
>> >> /home/htdocs/test,he can not see /home/htdocs or other folder)
>> >
>> > for example using chrooted scponly or tweaking filesystem acls and
>> > selinux settings.
>> >
>> > scponly chrooted is the easiest way.
>>
>> No, sftp is actually supported, somewhat, in OpenSSH 5 for this to
>> work well, which is not in CentOS 5, and integrating it to CentOS 5 is
>> problematic. It's also awkward to maintain, the chroot cages require
>> the relevant binaries nad libraries in each user's chroot cage. (I
>> used to publish the software changes for this, years back under SunOS
>> and RedHat 5.2, not RHEL 5.2).
>>
>> Frankly, don't. Use ftps, which Dovecot supports directly, or WebDav
>> over HTTPS, which Apache supports directly with mod_dav.
>
> I think you mean vsftpd?  Problem with FTPS is that it *can* be
> problematic with firewalls (not necessarily your own which you can set
> up correctly, but on the client side).

*Yes*, yes, definitely my mistake. Thank your for correcting that.

I know FTP can be a nightmare: I thought FTPS had pretty much
addressed the separate data and control channel issues, or am I
profoundly mistaken?

> ProFTPD may be a good option as well.  It should have a mod_sftp module
> which theoretically could be used in tandem with ProFTPD's native
> chroot'ing stuff.  Never tried it though.
>
> Ray

I got vsftpd and httpd/mod_dav playing together well some years back,
for someone who *insisted* on retaining FTP access for certain uses.
It was.... a fascinating adventure to get them to play nicely.