WebFaction
Community site: login faq

I've created a new SSH/SFTP user but only want them to be able to access and change files in a single directory. The directory is within a website that's symlinked from a directory outside of $HOME/webapps ($HOME/webapps_symlinked).

I've followed this summary of these instructions, including the answer given there, but when I log in as the new user, he doesn't have permission to list or enter the directory (whether the symlink in his home directory, or using the path to the directory itself).

I've done this:

setfacl -m u:FTP_USER:--x $HOME
setfacl -m u:FTP_USER:--- $HOME/webapps_symlinked/*
setfacl -R -m u:FTP_USER:rwx $HOME/webapps_symlinked/my_application/public/ACCESSIBLE_FOLDER
setfacl -R -m d:u:FTP_USER:rwx $HOME/webapps_symlinked/my_application/public/ACCESSIBLE_FOLDER
chmod g+s $HOME/webapps_symlinked/my_application/public/ACCESSIBLE_FOLDER
setfacl -R -m d:u:primary_username:rwx $HOME/webapps_symlinked/my_application/public/ACCESSIBLE_FOLDER

And as the FTP_USER:

ln -s /home/MAIN_USER/webapps_symlinked/my_application/public/ACCESSIBLE_FOLDER ~/ACCESSIBLE_FOLDER

But if the FTP_USER logs in and does:

ls /home/MAIN_USER/webapps_symlinked/my_application/public/ACCESSIBLE_FOLDER

He gets:

ls: cannot access /home/MAIN_USER/webapps_symlinked/my_application/public/ACCESSIBLE_FOLDER: Permission denied

What have I missed?

asked 05 Apr '16, 11:23

philgyford
65139
accept rate: 0%

edited 06 Apr '16, 14:26


You are granting access to a directory a few levels beneath $HOME/webapps_symlinked, so you need to grant execute permission for the directories in between - this allows the user to traverse these directories to get to the one he's supposed to access. Add these lines after your second setfacl command:

setfacl -R -m u:FTP_USER:--x $HOME/webapps_symlinked/my_application
setfacl -R -m u:FTP_USER:--x $HOME/webapps_symlinked/my_application/public
permanent link

answered 05 Apr '16, 14:09

maryh
1.3k7
accept rate: 35%

Ah, thank you maryh! I also think maybe my final line in that block of commands isn't needed? Is that unsetting read/write permissions on the directory, which seems wrong?

(06 Apr '16, 14:08) philgyford

Yes, that command should not be there.

(06 Apr '16, 14:13) maryh

You might also want to take a look at this script. It can help to automate granting permissions to only a subdirectory of your application.

(06 Apr '16, 14:21) bmeyer71 ♦♦

Thanks maryh - I've now removed the final line from that block of commands to avoid future confusion (hopefully). And thanks for the pointer bmeyer71 - I'll remember that for next time!

(06 Apr '16, 14:27) philgyford
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×37
×11

question asked: 05 Apr '16, 11:23

question was seen: 1,066 times

last updated: 06 Apr '16, 14:27

WEBFACTION
REACH US
SUPPORT
AFFILIATE PROGRAM
LEGAL
© COPYRIGHT 2003-2019 SWARMA LIMITED - WEBFACTION IS A SERVICE OF SWARMA LIMITED
REGISTERED IN ENGLAND AND WALES 5729350 - VAT REGISTRATION NUMBER 877397162
5TH FLOOR, THE OLD VINYL FACTORY, HAYES, UB3 1HA, UNITED KINGDOM