5

So in attempts to secure my server a bit, I created a new user with su - root access and denied root login. Now I can't SFTP any files on my server through Filezilla with this user. These are the steps I took :

  1. Created new user, new pass, SSH'd to the server, checked it, checked that I could switch user to root (all went well)
  2. Edited /etc/ssh/sshd_config from PermitRootLogin yes to PermitRootLogin no with Filezilla SFTP.
  3. Restarted SSHD service.
  4. Double checked again to ensure that new user had root access via SSH. All was fine.

Now, unfortunately, when SFTPing through Filezilla with new user/pass, I can access and view all the directories/files in my server, but I can't open/read/edit them.

Is there a permissions setting I need to change as root user for new user to be able to do this? Have I some how shot myself in the foot?

Edit : Ok, so as root is chmod'd the file 777, and this allowed me to view/edit as new user, but is there a way to simply grant a user all of these permissions for SFTP, but not the public/anyone else?

RCNeil
  • 615
  • 3
  • 9
  • 17
  • You create the files after you have su'd to root? – Tim Dec 22 '11 at 19:31
  • If that is the case, root most likely owns the file and it is defaulting to user read/write only. – Tim Dec 22 '11 at 19:31
  • umask may be the solution to your needs. It will set what the default mode is on newly created files/folders. – Tim Dec 22 '11 at 19:34
  • Thanks @Tim for your responses. This was more in regards to editing files that already existed under the new user. I was hoping to change permissions for a particular user when SFTPing so it would emulate that of 'root' user. I guess I'm just going to chmod change every file I want to SFTP edit as this new user. – RCNeil Dec 22 '11 at 19:41
  • Sounds to me like you should be configuring the new user to be chroot'd into their home directory. Your question is how to keep the user who SFTP's via filezilla from seeing everything on your box, right? – Craig Constantine Dec 22 '11 at 20:27
  • @craig - no, in fact, the opposite. I would like the new user to be able to not only see all files on the box, but edit them as well. There's going to be 1 user, me, and that's it. – RCNeil Dec 22 '11 at 20:43

2 Answers2

2

With regard to your edit about how to limit permissions, a traditional Unix idiom is to have a wheel group. You can create a group, give membership to the group to the user logging in via SFTP, and then change the group on the files you wish to have your user edit to group. Once you've done that, you can use chmod to give the group permissions without granting those permissions to everyone.

Many Unix distributions will already have a wheel or root or admin group, which is good for making sure anyone who checks up on your work later (including you if you forgot what you did) doesn't have to guess at what's going on and why, but sometimes that group will already have extra permissions granted to it that you will not want automatically granted to your SFTP user. Additionally, depending on what files you're concerned with, other scripts and utilities may expect specific group permissions on these files and if you change them, things will unexpectedly break. For these reasons, you may want to check documentation specific to whatever flavor of OS you're using before you make this change.

Howard Miller
  • 145
  • 5
  • Thanks, Howard. Suppose I login from Filezilla's SFTP as a member of the wheel group. But then I want to have a wide access (just like root had before I disabled the root login). I want to edit/DL/UL various files, for example configs, logs, web pages (with owner/group 'nginx') and whatnot. Should/could I change all group:root to group:wheel, and how o do that to all the system? Or could I do something else to elevate wheel's rights? I'm the only user there, so it's not a problem. – chang zhao Jan 13 '18 at 18:09
0

If I understood you well, you are trying to do files operations that are allowed only for root by a user with sudo privilege. You need to do the real work like editing the config files using ssh. SFTP enables you to access the system as normal user. Sudo privilege will not be effective unless you use ssh.

Khaled
  • 36,533
  • 8
  • 72
  • 99
  • I suppose so. I was hoping that by creating a sudo user, there was a way to grant them all the same privileges in regards to SFTP as root (when I SFTP'd before using root, there obviously were no permission problems) Now, since I denied root login, I can't SFTP that way anymore, so it seems I have no options but to either change permissions in SSH and then SFTP, then change them back, or SSH it. I just find it to be an easier method of editing in some cases. Thanks. – RCNeil Dec 22 '11 at 19:38