1

Currently running a Google compute engine instance and using SFTP on the server.

Followed details to lock a user to the SFTP path using steps listed here: https://bensmann.no/restrict-sftp-users-to-home-folder/

To lock the user to a directory, the home directory of that user needs to be owned by root. Initially, the setup worked correctly but found that Google compute engine sporadically "auto-resets" the permissions back to the user.

I am using an SSH key that is set in the Google Cloud Console and that key is associated with the username. My guess is that Google Compute Engine is using this "meta-data" and reconfiguring the folder permissions to match that of the user associated with the SSH key.

Is there any way to disable this "auto-reset"? Or, rather, is there a better method to hosting SFTP and locking a single user to a SFTP path without having to change the home folder ownership to root?

whaleson
  • 11
  • 1
  • I'm in the same situation, have you found a solution? I tried to add the immutable permission to the folder with `chattr +i` and with root user I can't change the ownership but apparently google can reset the ownership leaving immutable enabled. – Marco Martinelli May 15 '17 at 11:42
  • I know it's absolutely barbaric but until there is a better solution I'm using this cronjob to keep the right ownership: `* * * * * chown root:root /path/to/fix/` – Marco Martinelli May 15 '17 at 12:00
  • There is an [accounts daemon](https://github.com/GoogleCloudPlatform/compute-image-packages#accounts) running on the GCE instance which is responsible for provisioning user accounts from metadata data to the VM instance. If you create user account manually on the VM they will not be modified by accounts daemon. – Faizan May 15 '17 at 20:37
  • One other solution would be to use GCE user accounts feature, which provides users SSH access to the VM, without giving them project editor or owner permissions. However, this feature is private beta right now and would require your account to be whitelisted. You can refer to this [link](https://cloud.google.com/compute/docs/access/user-accounts/) for more information. – Faizan Aug 17 '17 at 20:08

1 Answers1

0

There are several solutions - one is at the OS level (as @Marco Martinelli suggested) with cron:

I know it's absolutely barbaric but until there is a better solution I'm using this cronjob to keep the right ownership: * * * * * chown root:root /path/to/fix/

Next up is creating manually users' accounts in the VM's - that way their permissions are not overwritten by account daemon.

There is an accounts daemon running on the GCE instance which is responsible for provisioning user accounts from metadata data to the VM instance. If you create user account manually on the VM they will not be modified by accounts daemon.

Last and I believe best for you wold be OS Login feature that @Faizan mentioned:

One other solution would be to use OS Login feature, which provides users SSH access to the VM, without giving them project editor or owner permissions.

It's now available to everyone so you can enable it project-wide or individually for a singe (or more) instance(s). After that you assign a proper roles (with permissions you need) to a users that need access. Go through linked documentation as it explains the whole process in detail.

Wojtek_B
  • 1,013
  • 4
  • 14