2

We normally use public key logins for our server but a new subscription service is requiring a username and password for SCP access to a user's account (This is Vaultpress - A remote backup utility for Wordpress). We have a blog running under UserA at /home/usera/public_html. Vaultpress requires a username and password for SCP access, but we don't want to give them UserA's credentials.

So the question is: How do we go about creating a UserB who can only SCP in and who only has access to UserA's home directory? And how do we ensure that any files written by UserB are editable/owned by UserA?

Kevin
  • 827
  • 3
  • 13
  • 23

2 Answers2

1

You can simply use POSIX acl for this. Create user B with it's default group as A (I'm assuming that the default group of user A is group A)

$ useradd -g A B # This creates a new user B with default group A

Now you need to set up the right permissions

$ chmod g+x /home/A # The group member needs execute permission to reach public_html directory
$ find /home/A/public_html -type d -exec chmod g+rwx {} \; # This will give all directories under public_html rwx group permissions
$ find /home/A/public_html -type d -exec chmod g+rw {} \; # This will give all files under public_html rw group permissions
$ sudo -u A -i "umask 002 && echo umask 002 > ~/.bashrc" && sudo -u B -i "umask 002 && echo umask 002 > ~/.bashrc" # This will make sure all future permissions are OK for your purpose

Based on the above setup, B can read and write inside public_html directory. AFAIK, Vaultpress needs write permissions in order to restore the backups. You can remove the write permission if you're not planning to use the auto-restore feature of Vaultpress. On top of this, all the files will be editable by the original user A.

Any file/directory that is created by B will be owned by group A by default. This will share the ownership of those files among users A and B.

Please add a comment if you like me to clarify anything.

vagarwal
  • 855
  • 6
  • 8
  • This was my original thought as well, but I thought there might be a more "correct" way to do it. Regarding Vaultpress - Does it use SCP for the backups themselves or only for restorations? If only for restorations, it seems like we wouldn't need to grant access until we needed to actually restore something. – Kevin Feb 04 '14 at 18:14
  • Another way can be to setup a new user and simply rsync the original public_html directory at regular intervals. You will lose the Vaultpress's auto restore feature though. RE: Vaultpress - AFAIK, vaultpress provides offsite backup hosting so they'll not be writing anything except when restoring one. Best to look at their docs. – vagarwal Feb 04 '14 at 18:32
0

You might want to look into sftp with chrooted environments. Basically you would have two ssh services running on different ports.

One is specifically just for sftp (user/password) chrooted on a particular directory that you set up, the other is for your normal ssh connections for server maintenance via pub key authentication.

Look into this: http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/

mahatmanich
  • 2,954
  • 3
  • 22
  • 23