WebFaction
Community site: login faq
1
1

I've created another ssh/sftp/ftp user. How do I grant them permissions to my application?

asked 19 Sep '12, 13:15

bmeyer71 ♦♦
1.5k3613
accept rate: 33%


We have detailed documentation to help you add permissions to your extra users here.

Note: only tested on 64bit CentOS.

For those that want an easier way, here is a quick script that will perform those steps for you.

#!/bin/bash

if [ $# -lt 2 ]; then
    echo 'Too few arguments.\n'
    echo 'USAGE: permissions.sh action username app_name'
    echo 'eg: permissions.sh grant joe django'
    echo 'actions: grant, revoke-app, revoke-all'
    exit
fi

PRIMARY_USER=`whoami`
ACTION=$1
SECONDARY_USER=$2
APP_DIR=$3

if [ $ACTION == "grant" -a $# == 3 ]; then
    echo 'Granting permissions to' $APP_DIR 'for user' $SECONDARY_USER'.'
    if [ ! `getfacl -p $HOME | grep user:$SECONDARY_USER:--x` ]; then
        # Grant secondary user access to the primary account's home directory
        # for navigational purposes only.
        setfacl -m u:$SECONDARY_USER:--x $HOME
        # Disallow ALL access to all direcories for secondary user.                                
        setfacl -R -m u:$SECONDARY_USER:--- $HOME/webapps/*                                        
    fi                                                                                             
    # Grant secondary user permissions to specified app directory.                                 
    setfacl -R -m u:$SECONDARY_USER:rwx $HOME/webapps/$APP_DIR                                     
    # Grant secondary user permissions to new directories created                                  
    # in specified app directory.                                                                  
    setfacl -R -m d:u:$SECONDARY_USER:rwx $HOME/webapps/$APP_DIR                                   
    # Ensure all new directories and files are owned by the primary                                
    # account's group.                                                                             
    chmod g+s $HOME/webapps/$APP_DIR                                                               
    # Make sure the primary account user continues to have full access                             
    # to all files and directories.                                                                
    setfacl -R -m d:u:$PRIMARY_USER:rwx $HOME/webapps/$APP_DIR

elif [ $ACTION == "revoke-app" ]; then                                                             
    echo 'Revoking permissions for user' $SECONDARY_USER 'to' $APP_DIR'.'
    setfacl -R -x u:$SECONDARY_USER $HOME/webapps/$APP_DIR
    setfacl -R -x d:u:$SECONDARY_USER $HOME/webapps/$APP_DIR

elif [ $ACTION == "revoke-all" ]; then
    echo 'Revoking ALL permissions for' $SECONDARY_USER'.'
    setfacl -x u:$SECONDARY_USER $HOME
    setfacl -R -x u:$SECONDARY_USER $HOME/webapps/*
    setfacl -R -x d:u:$SECONDARY_USER $HOME/webapps/*
fi

Copy and paste that into a file called permissions.sh

You can then enable the script to be executable using: chmod 755 permissions.sh

To use, you just run:

./permissions.sh grant joe django

For more information on using setfacl and getfacl

permanent link

answered 19 Sep '12, 13:26

bmeyer71 ♦♦
1.5k3613
accept rate: 33%

edited 18 Nov '13, 10:51

Here is an alternative to the previous permissions script.

Note: Again, only tested on 64bit CentOS.

#!/bin/bash

if [ $# -lt 2 -o $# -gt 3 ]; then
    echo
    echo 'Please provide 2 or 3 arguments.'
    echo
    echo 'USAGE: permissions.sh action username directory'
    echo 'actions: grant, revoke-app, revoke-all'
    echo 'eg: permissions.sh grant joe $HOME/webapps/django'
    echo
    echo 'Currently only works for directories in /home/username/webapps.'
    echo
    exit
fi

PRIMARY_USER=`whoami`
ACTION=$1
SECONDARY_USER=$2
APP_DIR=$3
DIR_ARRAY=$3

# Parse the supplied directory path
i=0
while [ "$DIR_ARRAY" != "/" ];do
    i=$(($i+1))
    parse[$i]="$(basename "$DIR_ARRAY")"
    DIR_ARRAY="$(dirname "$DIR_ARRAY")"
    if [ "$DIR_ARRAY" != "/home" -a "$DIR_ARRAY" != "/" ]; then
        [ "$DIR_ARRAY" = "." ] && DIR_ARRAY="$(pwd -P)"
    fi
done

if [ $ACTION == "grant" -a $# == 3 ]; then
    if [[ $APP_DIR != $HOME/webapps/* ]]; then
        echo
        echo "This script currently only works with $HOME/webapps"
        echo
        exit
    fi

    echo 'Granting permissions to' $APP_DIR 'for user' $SECONDARY_USER'.'
    if [ ! `getfacl -p $HOME | grep user:$SECONDARY_USER:--x` ]; then
        # Grant secondary user access to the primary account's home directory
        # for navigational purposes only.
        setfacl -m u:$SECONDARY_USER:--x $HOME
        # Disallow ALL access to all direcories for secondary user.
        setfacl -R -m u:$SECONDARY_USER:--- $HOME/webapps/*
    fi

    DIR_PATH=""
    while [ $i -gt 0 ]; do
        DIR_PATH=$DIR_PATH/"${parse[$i]}"
        if [ "$DIR_PATH" != "/home" -a "$DIR_PATH" != "/" ]; then
            if [ "$DIR_PATH" != "$HOME" -a "$DIR_PATH" != "$HOME/webapps" ]; then
                if [ $i == 1 ]; then
                    # Grant secondary user permissions to specified directory.
                    setfacl -R -m u:$SECONDARY_USER:rwx $DIR_PATH
                    # Grant secondary user permissions to new directories created
                    # in specified directory.
                    setfacl -R -m d:u:$SECONDARY_USER:rwx $DIR_PATH
                    # Ensure all new directories and files are owned by the primary
                    # account's group.
                    chmod g+s $DIR_PATH
                    # Make sure the primary account user continues to have full access
                    # to all files and directories.
                    setfacl -R -m d:u:$PRIMARY_USER:rwx $DIR_PATH
                else
                    # Grant secondary user permissions to navigate to specified directory.
                    setfacl -R -m u:$SECONDARY_USER:--x $DIR_PATH
                fi
            fi
        fi
        i=$(($i-1))
    done

elif [ $ACTION == "revoke-app" ]; then
    echo 'Revoking permissions for user' $SECONDARY_USER 'to' $APP_DIR
    setfacl -R -x u:$SECONDARY_USER $APP_DIR
    setfacl -R -x d:u:$SECONDARY_USER $APP_DIR

elif [ $ACTION == "revoke-all" ]; then
    echo 'Revoking ALL permissions for' $SECONDARY_USER'.'
    setfacl -x u:$SECONDARY_USER $HOME
    setfacl -R -x u:$SECONDARY_USER $HOME/webapps/*
    setfacl -R -x d:u:$SECONDARY_USER $HOME/webapps/*
fi

Copy and paste that into a file called permissions.sh

You can then enable the script to be executable using: chmod 755 permissions.sh

To use, you just run:

./permissions.sh grant joe $HOME/webapps/django

This will also let you grant permissions to a subdirectory.

eg: $HOME/webapps/yourapp/some/other/dir

It will grant access to the parent directories of dir for navigational purposes only and read,write,execute to the dir directory as described in this community post.

permanent link

answered 22 Sep '12, 21:34

bmeyer71 ♦♦
1.5k3613
accept rate: 33%

edited 18 Nov '13, 10:52

Thanks, I tried it and it worked. But PLEASE add instructions for others to change PRIMARY_USER=whoami to whatever their account name is. I noticed this bit in the code, but not everyone will. I'd vote your solution UP, but apparently I don't have enough cred...

(24 Jan '13, 02:47) dhigby

The code is actually equivalent to PRIMARY_USER=$(whoami), which should work for anyone without substitution, since the "whoami" command returns the current user.

(24 Jan '13, 02:54) ryans ♦♦

why would I be getting a

Granting permissions to
/home/myuser/webapps/someapp for user otheruser. 
getfacl: invalid option -- p

on both versions of the permission script ?

The problem that I'm trying to solve is that after running all the acl commands, I can ls and modify the contents of the folder if I refer to it with an absolute path, but if I create a link to that folder then I get a permission denied when I try to cd .

FIXED: the script contained a -p instead of a -P

(18 Nov '13, 03:28) alcipone

The lowercase -p is only available on the newer version of getfacl (ACL) which is on the CentOS6 64bit servers. This is why you got an error with that command. I've updated the posts to mention that as well.

(18 Nov '13, 10:50) bmeyer71 ♦♦

I tried to add this script and run it in the directory above 'webapps'. All I see is the follwoing error: 'This script currently only works with /home/username/webapps'

(20 Aug '14, 17:38) xpostudio4

The script as written is designed to work for one application not for your Home directory. You would need to modify the script to work in your home directory.

(20 Aug '14, 18:42) aaront ♦♦
showing 5 of 6 show 1 more comments

Step by step granting access to specific FTP users (secondary-username) and landing access to his specific application directory:

  1. *Log in to an SSH session with your account name, then execute this commands:*
  2. setfacl -m u:secondary-username:--x $HOME
  3. setfacl -m u:secondary-username:--- $HOME/webapps/* (you will need to run this command again if you create new applications)
  4. setfacl -R -m u:secondary-username:rwx $HOME/webapps/application
  5. setfacl -R -m d:u:secondary-username:rwx $HOME/webapps/application
  6. chmod g+s $HOME/webapps/application
  7. setfacl -R -m d:u:primary-username:rwx $HOME/webapps/application
  8. su -s /bin/bash - secondary-username (if secondary-username is an FTP only user)
  9. ln -s /home/primary_username/webapps/application ~/application (to create symlink to the web app in their home directory)
permanent link

answered 28 Mar '13, 17:35

ahmadie thaha
11
accept rate: 0%

edited 28 Mar '13, 17:38

why would I be getting a

Granting permissions to
/home/myuser/webapps/someapp for user otheruser. 
getfacl: invalid option -- p

on both versions of the permission script ?

The problem that I'm trying to solve is that after running all the acl commands, I can ls and modify the contents of the folder if I refer to it with an absolute path, but if I create a link to that folder then I get a permission denied when I try to cd .

permanent link

answered 18 Nov '13, 03:27

alcipone
12
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×103
×64
×62
×31

question asked: 19 Sep '12, 13:15

question was seen: 12,392 times

last updated: 20 Aug '14, 18:42

WEBFACTION
REACH US
SUPPORT
AFFILIATE PROGRAM
LEGAL
© COPYRIGHT 2003-2019 SWARMA LIMITED - WEBFACTION IS A SERVICE OF SWARMA LIMITED
REGISTERED IN ENGLAND AND WALES 5729350 - VAT REGISTRATION NUMBER 877397162
5TH FLOOR, THE OLD VINYL FACTORY, HAYES, UB3 1HA, UNITED KINGDOM