Raspberry Pi | SFTP | restrict user privileges

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

jorgemarmo

Occasional Visitor
Hi,

I would like to be able to access some files from outside my network via SFTP and mainly from windows clients using WinSCP.
I'm running a raspberry pi 4 under raspbian 10 Lite, as a media server with samba in the local network.

Now I would like to:
1) create a user, lets say "dummy1" but with not "sudo" capabilities (I'm almost sure this will happen for every single user I add by default)
2) give only read permissions to "/media/USBHDD1/thisfolder" (which is the mounting path of an external hdd in NTFS if that matters).
3) give read and write permission to "/media/USBHDD1/dummy1folder" (and if possible establish a cuota?)
4) secure everything else... no execution, no GUI, no other write/read/execute privileges except whatever is needed to download and upload files to/from those folders.

so what would be the easiest way to do this?
so far I've found this:
https://www.digitalocean.com/community/ ... -directory
and this
https://www.digitalocean.com/community/ ... ted-access

but is not working for them, it's for ubuntu, and some guy even got locked out of its server.... So I ask you to try to avoid these issues.
 

L&LD

Part of the Furniture
Use an OpenVPN connection instead back to your network. Much easier and more secure too, I would suspect.
 

jorgemarmo

Occasional Visitor
Use an OpenVPN connection instead back to your network. Much easier and more secure too, I would suspect.
I thought about it... But that would give some sort of access to my Synology NAS, the printer, the other computers... Is my understanding that for sharing this these "folders" with a handful of family and friends, using a VPN would actually expose my network further, or am I wrong?
 

L&LD

Part of the Furniture
Any door, no matter how small, is exposing your network. And you shouldn't have just one door protecting it either (all the devices should be further protected too).

A VPN seems like the best bet to expose only what you want as safely as possible.

Sharing folders is best done with an expiring link external to your network.

Family and friends are gold, but they won't know how to safeguard your network. Only you oversee that.
 

ColinTaylor

Part of the Furniture
A VPN seems like the best bet to expose only what you want as safely as possible.
What are you proposing he does that will restrict access to the resources he mentioned?
 

L&LD

Part of the Furniture
At the very least? Use different login/password credentials.
 

ColinTaylor

Part of the Furniture
At the very least? Use different login/password credentials.
I think that's already assumed from what he said in point 1 of post #1.

My question was how do you propose he restrict access to just the resources as stated in points 2, 3 and 4 of post #1.
 

L&LD

Part of the Furniture
I didn't pretend to propose how to do that. I am not familiar (at all) with a Raspberry Pi 4 and what capabilities it may have.

I proposed he didn't use ssh to access those folders and find a more secure way instead.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top