What's new

Raspberry Pi | SFTP | restrict user privileges

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

jorgemarmo

Occasional Visitor
Hi,

I would like to be able to access some files from outside my network via SFTP and mainly from windows clients using WinSCP.
I'm running a raspberry pi 4 under raspbian 10 Lite, as a media server with samba in the local network.

Now I would like to:
1) create a user, lets say "dummy1" but with not "sudo" capabilities (I'm almost sure this will happen for every single user I add by default)
2) give only read permissions to "/media/USBHDD1/thisfolder" (which is the mounting path of an external hdd in NTFS if that matters).
3) give read and write permission to "/media/USBHDD1/dummy1folder" (and if possible establish a cuota?)
4) secure everything else... no execution, no GUI, no other write/read/execute privileges except whatever is needed to download and upload files to/from those folders.

so what would be the easiest way to do this?
so far I've found this:
https://www.digitalocean.com/community/ ... -directory
and this
https://www.digitalocean.com/community/ ... ted-access

but is not working for them, it's for ubuntu, and some guy even got locked out of its server.... So I ask you to try to avoid these issues.
 
Use an OpenVPN connection instead back to your network. Much easier and more secure too, I would suspect.
 
Use an OpenVPN connection instead back to your network. Much easier and more secure too, I would suspect.
I thought about it... But that would give some sort of access to my Synology NAS, the printer, the other computers... Is my understanding that for sharing this these "folders" with a handful of family and friends, using a VPN would actually expose my network further, or am I wrong?
 
Any door, no matter how small, is exposing your network. And you shouldn't have just one door protecting it either (all the devices should be further protected too).

A VPN seems like the best bet to expose only what you want as safely as possible.

Sharing folders is best done with an expiring link external to your network.

Family and friends are gold, but they won't know how to safeguard your network. Only you oversee that.
 
At the very least? Use different login/password credentials.
 
At the very least? Use different login/password credentials.
I think that's already assumed from what he said in point 1 of post #1.

My question was how do you propose he restrict access to just the resources as stated in points 2, 3 and 4 of post #1.
 
I didn't pretend to propose how to do that. I am not familiar (at all) with a Raspberry Pi 4 and what capabilities it may have.

I proposed he didn't use ssh to access those folders and find a more secure way instead.
 
I know this is a old thread but maybe it helps somebody.

I use ProFTPD with users in a database.
They can not logon to the system only to ProFTPD.

1706645654220.png


I don't use the FTP(S) function in ProFTPD only the SFTP module.
In /etc/proftpd/virtuals.conf you can set what users are allowed to do.

virtuals.conf:
Code:
# sftp.domain.tld virtual host
########################################
<IfModule mod_sftp.c>
<VirtualHost 192.168.xxx.xxx 2001:xxxx:xxxx:xxxx::xxxx>

SFTPEngine on
SFTPPAMEngine off

# Specifies the port where the SFTP connections will be accepted.
# Since SSH already is looking for connections on port 22, we want a different port.
# Preferably choose a less known port number.
Port 2222

SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPHostKey /etc/ssh/ssh_host_dsa_key

SFTPCompression delayed

DefaultRoot        ~

AuthOrder mod_sql.c

SFTPDisplayBanner /usr/local/etc/welcome.msg

MaxClients        50
SFTPMaxChannels        10
MaxLoginAttempts    5

Umask    0006  0007

Include /etc/proftpd/sql.conf

# Download
########################################
  <Directory ~>
    AllowOverwrite    no
    AllowRetrieveRestart on

    <Limit WRITE>
      DenyAll
    </Limit>

#    HideFiles (\.message|\.htaccess$)
    HideFiles (\.message$)
    <Limit ALL>
      IgnoreHidden    On
    </Limit>
  </Directory>
########################################

# Files
########################################
  <Directory ~/files>
   AllowOverwrite    no
   AllowRetrieveRestart on

    <Limit WRITE>
      DenyAll
    </Limit>

#    HideFiles (\.message|\.Prullenbak$)
    HideFiles (\.message$)
    <Limit ALL>
      IgnoreHidden    On
    </Limit>
  </Directory>
########################################

# Upload
########################################
  <Directory ~/upload>
   AllowOverwrite    yes
   AllowRetrieveRestart on
   AllowStoreRestart on

#   <Limit READ WRITE>
#     DenyAll
#   </Limit>

   <Limit READ WRITE DIRS>
#   <Limit STOR>
     AllowAll
   </Limit>

#    HideFiles (\.message|\.htaccess$)
    HideFiles (\.message$)
    <Limit ALL>
      IgnoreHidden    On
    </Limit>
  </Directory>
########################################

# Web
########################################
  <Directory ~/web>
   AllowOverwrite    yes
   AllowRetrieveRestart on
   AllowStoreRestart on

   <Limit READ WRITE DIRS>
     AllowAll
   </Limit>

    HideFiles (\.message|\.Prullenbak$)
#    HideFiles (\.message$)
    <Limit ALL>
      IgnoreHidden    On
    </Limit>
  </Directory>
########################################

# Media
########################################
  <Directory ~/media>
   AllowOverwrite    no
   AllowRetrieveRestart on

    <Limit WRITE>
      DenyAll
    </Limit>

    HideFiles (\.message|\.Prullenbak$)
#    HideFiles (\.message$)
    <Limit ALL>
      IgnoreHidden    On
    </Limit>
  </Directory>
########################################

</VirtualHost>
</IfModule>
 
Last edited:

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top