I configured a CentOS server to be a SFTP server that receives customer files in a secure way. Then I need to be able to access these files via SMB.
- The 'root' of my SFTP is in /var/inbound/
- Then under /var/inbound/ I have one directory for each customer (e.g. /var/inbound/customer1/
- Then in order to jail users, I have a sub-directory called uploads under each customer directory (e.g. /var/inbound/customer1/uploads/)
I managed to make the permissions work as expected and everything is fine and dandy to support customer access to the SFTP. One important aspect is that I 'jailed' users to their /var/inbound/ directories.
Here is now I created the /var/inbound directory:
sudo mkdir /var/inbound sudo chown root.root /var/inbound #root must be owner of directory And here is how I create the sub-directories for each customer:
sudo mkdir -p /var/inbound/[username]/uploads sudo chown root /var/inbound/[username] sudo chmod go-w /var/inbound/[username] sudo chown [username]: /var/inbound/[username]/uploads sudo chmod 770 /var/inbound/[username]/uploads NOTE: Both the /var/inbound/[username]/ and /var/inbound/[username]/uploads/ directories need a special set of permissions. Perform the following commands, replacing [username] with the user in question.
Now I'll spare you from the remaining SSH/SFTP configuration. But suffice to say that I can get users to be jailed to their own directories, and that I disabled their SSH/console access using SCPONLY.
Now where things get complicated...
I now need to give SMB access to a specific account (let's call it fileaccess) to the /var/inbound/ directory, which will be accessible from a Windows Server host. I do manage to see the /var/inbound directory as a share from Windows, including its sub-directories. However I cannot see some files, and I have no write access to the files I am meant to have access to either.
$ ls -l /var/inbound total 0 drwxr-xr-x. 3 root root 20 Jan 5 11:53 testuser $ ls -l /var/inbound/testuser total 0 drwxrwxr-x. 2 testuser sftponly 53 Jan 5 12:26 uploads Now here is the directory I want to access with the fileaccess account:
$ ls -la /var/inbound/testuser/uploads/ total 12 drwxrwx---. 2 testuser sftponly 53 Jan 5 15:12 . drwxr-xr-x. 3 root root 20 Jan 5 11:53 .. -rw-r--r--. 1 fileaccess sftponly 30 Jan 5 12:26 test2.txt -rw-r--r--. 1 testuser sftponly 26 Jan 5 12:25 test3.txt -rw-rw-r--. 1 dmgmadmin dmgmadmin 14 Jan 5 11:53 test.txt When I connect via SMB with the fileaccess account, I can only see the test.txt, but I cannot open the file (access denied).
Here is my smb.conf. As you can see I've been trying a series of different options:
[global] workgroup = <MYDOMAINNAMEGOESHERE> security = user passdb backend = tdbsam [inbound] comment = Incoming files (as %u) path = /var/inbound/ valid users = fileaccess guest ok = No read only = No writeable = Yes browseable = Yes create mask = 0640 directory mask = 0750 NOTE: While I do have a domain, this CentOS machine is not part of it. It does have an entry on my Windows AD DNS, and is configured to use the DNS server -- but that is the end of it. I want this machine to be isolated. So attempts to connect to this server are made with local CentOS accounts.
I am particularly concerned that this might be a Linux file-system access issue, and that necessary changes might conflict with required SFTP permissions (e.g. SFTP requires the /var/inbound// directories to be owned by root).
I wonder if there is a way to enforce in the SMB.conf the access rights for the account in question, so that account has browse/read/right permissions. I tried all sorts of config options in smb.conf (I've been reading the manual for smb.conf here).
