Another request for read-only FTP


#1

I know this has been asked before and the end response is “no”. I’m just taking another stab at it…

I’ve written an Android app for friends which will be offered through my DH shared host. The app requires occasional download of small audio files. I’d like to pull these out via read-only SFTP.

All users get full rwx access to anything in their /home/user space, so any smart alec who gets the password can wipe or replace the files. I could create a symlink in the /home/user path to read-only data elsewhere, but someone can still delete the symlink.

I’ve deleted default directories for Logs, Mail, Cache, and the BASH scripts, since none of that will be used. All that’s left is folder “downloads” and a small tree under it. So how can I protect this user and that one folder?

Even if I change permissions on that folder and its contents to 444, someone can just change them back to 777 after logging in with any FTP client.

So can we make a read-only User that only has SFTP access?

I don’t want to use DreamObjects as there is a (small) cost. I don’t want to use DropBox or a similar service, though ultimately that might be the way to go. I don’t want to recode to retrieve zip files via HTTP but I could do this and avoid the user/FTP issues.

For reference, this isn’t the only application for this. I have clients that I occasionally invite to pull down files via a common “partner” user, But unless I give each client their own user, there is a possibility that someone might accidentally delete files that aren’t related to them.

Thanks!


#2

No. We provide SFTP specifically for site management tasks; it’s not intended as a way to make files publicly accessible.

If you want to make these files available to your application, serve them over HTTP or HTTPS. (If you want to limit that access to your application, set up a HTTP password.) You’ll find this will probably make your application much simpler, as you will no longer need to bundle it with a bunch of SSH libraries.


#3

Perfect answer. Accepted. Thank you!