0

I'm trying to make it so my customuser can use programs like FileZilla, CuteFTP, Bitvise SSH... etc to SFTP into the server and modify files in the root directories. I use Bitvise SSH normally because it acts as both a ssh terminal and also a file explorer.

I have created a new user via:

  • useradd customuser
  • passwd customuser

I have setup wheel, root permissions access via:

  • usermod -G wheel,root customuser

I have modified my sshd_config file and added the following two lines:

  • PermitRootLogin no
  • AllowUsers customuser

I have modified sudoers and added the following, bare in mind I only allow ssh connections right now and I don't mind if this user (a very hard to bruteforce username) has full access to root, I just don't want root to be a user that can be logged into. Eventually I'll re-enable the password on the root account to increase the security on the customuser (once re-removing root file permissions)

  • customuser ALL=(ALL) NOPASSWD: ALL

I have restarted sshd:

  • service sshd restart

However I cannot access any directory above /home/deploy/ because I don't have the correct permissions... I'm not sure what I am missing in order to achieve the desired result.

Could anyone point me in the right direction?

Ryflex
  • 139
  • 1
  • 11

1 Answers1

0

sudo privileges only apply when using the sudo command to execute things, which can't be done using sftp. You must have an interactive shell like bash to issue sudo commands. when using sftp, you will only have the basic user/group access that the user has - no elevated privileges. You would need to copy files into the user home directory using sftp, then use ssh to login and sudo to manipulate things the way you want them.

pmdba
  • 281
  • 1
  • 6
  • So how would I bypass that requirement to sftp the files and then ssh and sudo move/delete.. etc. That's the whole thing I am trying to acheive. – Ryflex Apr 21 '21 at 03:38
  • You can't, as far as I know. SFTP just doesn't allow for privilege elevation. – pmdba Apr 21 '21 at 10:05
  • So only the root account can access those files? There's no way of making an account or giving an account permissions to root files? – Ryflex Apr 22 '21 at 00:40
  • Not through sftp, not without changing the permissions on the files from their original settings or - depending on the group permissions on the files - the changing the default group of the login user. – pmdba Apr 22 '21 at 02:48
  • I'm not against changing the default group for the login user... – Ryflex Apr 22 '21 at 15:56
  • That would only work if existing group permissions on directories and files allowed changes to be made. Files owned/maintained by root often have group permissions disabled, so it isn't a cure-all. – pmdba Apr 22 '21 at 16:35