Overriding other users' permissions


#1

Hi all,

I’ve recently delegated part of my webspace to a couple of friends so they can help out with some site admin. Unfortunately if they create some folders via SFTP the group-write bit is off by default, so I can’t put any files in the folders they create. Because they own the folder I also can’t go into a shell and chmod g+w because I get a permission denied error (even though I own the containing folder.)

Is there any way around this? The folders are all SGID which works (new folders are owned by the shared group) but group-write is still disabled. From the DH wiki it looks like I could set up a cron job to fix the permissions, but then I would have to grant each user shell access which I don’t want to, not to mention having to run a cron job over the same set of folders for each user who might be working there.

Is there any way to force the group-write bit on via SFTP, and to override it in case of already existing files? Setting default ACLs would probably work, but the ext3 filesystem that DH uses doesn’t seem to support ACLs.

Any ideas?


#2

If group-write is set then files can be overwritten (that’s what it’s for).

Create a communal user, share credentials with group.

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost


#3

Yes, the problem is that I can’t stop people unsetting group-write.

What happens if someone changes the password for the communal user? Also how do I then know who created which files?

Thinking about this further, being able to sudo to the other users (without knowing their password, and without them having to be shell users) would be ideal. I have submitted a DreamHost suggestion for this (as recommended by DH support.)


#4

Only the Panel admin (you) should have access to change the password.

sudo would be nice, but don’t hold your breath waiting for it to be implemented :wink:

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost


#5

Bummer :wink:

I thought anyone could change their password with the normal commands.

DH support suggested putting an SSH key in the user’s home directory so I could “ssh newuser@localhost” to become the new user without needing the password which I might have to do. Only downside is that then all my users need to have shell access.


#6

I dunno about that… I just changed my shell user password successfully using the passwd command. Couldn’t find anything official that says you can’t change your password this way either. Also I don’t think the DreamHost backend stores it to where you can get the plain text version via the API. If it makes a difference I’m still on Debian 3.1

Customer since 2000 :cool: openvein.org


#7

Tried passwd over an SFTP account yet? :stuck_out_tongue:

@Malvineous: A communal SFTP user is quite adequate for the task you mentioned, unless there’s some reason in particular that necessitates each user has their own account. I don’t wanna sound like a wet blanket, but if you have any doubts regarding the level of trust you can afford the group, or any specific users, then you should probably rethink allowing the group/users to have access to your account at all. As account holders we’re ultimately responsible for what happens on our hosting account.

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost


#8

Yeah forgot this was about SFTP only.

Customer since 2000 :cool: openvein.org


#9

Off-topic: your findings regarding the API apparently not reflecting a shell-changed password is likely something that’s going to need looking into on DreamHost’s end. I gather it was with the user-list_users command (I haven’t mucked about with the API yet). Did the user disappear from the returned list or was it a case that the old password was left unchanged in it’s response?

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost


#10

The old password was left unchanged in it’s response. Though I only checked the response within a minute of the change. I’m not too worried about it since the DH account holder can change it to whatever they want in the end; but then again API Apps that use it to auto-login might encounter login failures.

Customer since 2000 :cool: openvein.org


#11

Yeah, it could leave a coder scratching his head if they rely on it.

andrewf might see your post and take a squizz at it.

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost


#12

Add umask 002 to .bash.rc within all SFTP accounts that will connect to the base account.

[color=#CC0000]* NB: this will effect default masks wherever they create files from now on![/color]

You’ll need to set permission masks manually on any preexisting files within the shared base account. Give the base account owner (you) shell access and use a recursive command in shell to quickly setup the required permission masks in the appropriate directories.

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost


#13

Does umask (and/or .bash.rc) still work even if it’s an SFTP only account?


#14

The base (destination) account can be any type - even an FTP Only account - the magic is in the connecting SFTP account’s umask settings. I only mentioned shell access on the base account to ease the setting up of masks on any preexisting files and directories.

It’s important to remember that changing the umask settings for each of the group’s SFTP users effects masks on all subsequent files and directories that each individual user creates, which could lead to privacy concerns in regard to their “personal” [color=#0000CC]/home/username/…[/color] userspace.

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost


#15

Thanks all for the suggestions. Just FYI there is now a DH suggestion to allow sudo access.

Since DH apparently listen to votes, hopefully anyone who would find this useful would be willing to go and vote for it.