Case #1
- I will create three OS groups:
- companies -> has N number of companies which has read and write privileges
- nusers -> has N number of normal users which has read and write privileges.
- rousers -> has N number of normal users which has read-only privileges.
for group in companies nusers rousers; do
groupadd $group
done
- I will create required folders for above groups and set required permissions:
mkdir -pv /sftp/{companies,nusers,rousers}
for dir in companies nusers rousers; do
chown -v root:root /sftp/${dir}
done
- For demonstration purpose, Each group of the above groups has the following members:
- companies: company1, company2 and company3 users
- nusers: nuser1, nuser2 and nusers3 users.
- rousers: rouser1, rouser2 and rouser3 users
for id in 1 2 3; do
adduser company${id} -g companies -s /sbin/nologin
echo "redhat" | passwd --stdin company${id}
mkdir -v /sftp/companies/company${id}
chown -v company${id}:companies /sftp/companies/company${id}
chmod -v 700 /sftp/companies/company${id}
done
for id in 1 2 3; do
adduser nuser${id} -g nusers -s /sbin/nologin
echo "redhat" | passwd --stdin nuser${id}
mkdir -v /sftp/nusers/nuser${id}
chown -v nuser${id}:nusers /sftp/nusers/nuser${id}
chmod -v 700 /sftp/nusers/nuser${id}
done
for id in 1 2 3; do
adduser rouser${id} -g rousers -s /sbin/nologin
echo "redhat" | passwd --stdin rouser${id}
mkdir -v /sftp/rousers/rouser${id}
chown -v rouser${id}:rousers /sftp/rousers/rouser${id}
chmod -v 700 /sftp/rousers/rouser${id}
done
- Add the following lines to '/etc/ssh/sshd_config' file:
[root@sftp-server ~]# cp -av /etc/ssh/sshd_config /root/orig_files/
‘/etc/ssh/sshd_config’ -> ‘/root/orig_files/sshd_config’
[root@base ~]# tail -n23 /etc/ssh/sshd_config
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Companies
Match Group companies
ChrootDirectory /sftp/companies # Directory that 'companies' group members will change directory to
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
# nusers
Match Group nusers
ChrootDirectory /sftp/nusers # Directory that 'nusers' group members will change directory to
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
# rousers
Match Group rousers
ChrootDirectory /sftp/rousers # Directory that 'rousers' group members will change directory to
ForceCommand internal-sftp -R # read-only privileges
X11Forwarding no
AllowTcpForwarding no
- Restart sshd service:
[root@sftp-server ~]# systemctl restart sshd
- Testing upload and download for 'company1':
[root@sftp-server ~]# sftp company1@localhost
company1@localhost's password:
Connected to localhost.
sftp> pwd
Remote working directory: /
sftp> ls -lh
drwx------ 0 1000 1000 6B Sep 23 12:42 company1
drwx------ 0 1001 1000 6B Sep 23 12:35 company2
drwx------ 0 1002 1000 6B Sep 23 12:35 company3
sftp> cd company1
sftp> pwd
Remote working directory: /company1
sftp> ls -lh
sftp> !ls
anaconda-ks.cfg orig_files
sftp> put anaconda-ks.cfg
Uploading anaconda-ks.cfg to /company1/anaconda-ks.cfg
anaconda-ks.cfg 100% 1266 2.0MB/s 00:00
sftp> ls -lh
-rw------- 0 1000 1000 1.2K Sep 23 12:42 anaconda-ks.cfg
sftp> exit
[root@sftp-server ~]# cd /tmp/
[root@sftp-server tmp]# sftp company1@localhost
company1@localhost's password:
Connected to localhost.
sftp> cd company1
sftp> ls -lh
-rw------- 0 1000 1000 1.2K Sep 23 12:42 anaconda-ks.cfg
sftp> get anaconda-ks.cfg
Fetching /company1/anaconda-ks.cfg to anaconda-ks.cfg
/company1/anaconda-ks.cfg 100% 1266 1.3MB/s 00:00
sftp> !ls -lh /tmp/anaconda-ks.cfg
-rw-------. 1 root root 1.3K Sep 23 12:44 /tmp/anaconda-ks.cfg
- Testing upload and download for 'rouser1':
Upload is not working as it is read-only-user
[root@sftp-server tmp]# sftp rouser1@localhost
rouser1@localhost's password:
Connected to localhost.
sftp> pwd
Remote working directory: /
sftp> ls -lh
drwx------ 0 1006 1002 6B Sep 23 12:35 rouser1
drwx------ 0 1007 1002 6B Sep 23 12:35 rouser2
drwx------ 0 1008 1002 6B Sep 23 12:35 rouser3
sftp> cd rouser1
sftp> !ls
anaconda-ks.cfg ks-script-51xRrk systemd-private-2b0f49d01f0d466292863ddd50a5ffae-chronyd.service-tHAMF3 yum.log
sftp> put anaconda-ks.cfg
Uploading anaconda-ks.cfg to /rouser1/anaconda-ks.cfg
remote open("/rouser1/anaconda-ks.cfg"): Permission denied
sftp> exit
[root@sftp-server tmp]# sftp rouser1@localhost
rouser1@localhost's password:
Connected to localhost.
sftp> pwd
Remote working directory: /
sftp> cd /rouser1
sftp> ls -lh
-rw------- 0 1006 0 1.2K Sep 23 12:52 anaconda-ks.cfg
sftp> get anaconda-ks.cfg
Fetching /rouser1/anaconda-ks.cfg to anaconda-ks.cfg
/rouser1/anaconda-ks.cfg 100% 1266 1.5MB/s 00:00
sftp> exit
- Script to add ad remove users "https://github.com/abdurrahman84/BASH-real-examples/blob/master/wesam-script.sh":
#!/bin/bash
#----------
# Functions
#----------
# List Current Groups
func_list_groups() {
echo ""
echo "Current Used Groups:"
echo "--------------------"
echo "GROUP #1: companies (rw)"
echo "GROUP #2: nusers (rw)"
echo "GROUP #3: rousers (ro)"
echo ""
}
# Add User
func_add_user(){
read -p "Enter username: " USERNAME
read -p "Enter Group Name: " GROUP_NAME
echo -n "Enter User Password: "
read -s USER_PASSWORD
grep $USERNAME /etc/passwd 1>/dev/null 2>/dev/null
if [ $? -eq 0 ]; then
echo ""
echo ""
echo "$USERNAME username is exsit!"
echo "Exitting..."
exit 1
fi
adduser ${USERNAME} -g $GROUP_NAME -s /sbin/nologin
echo "$USER_PASSWORD" | passwd --stdin ${USERNAME}
mkdir -v /sftp/${GROUP_NAME}/${USERNAME}
chown -v ${USERNAME}:${GROUP_NAME} /sftp/${GROUP_NAME}/${USERNAME}
chmod -v 700 /sftp/${GROUP_NAME}/${USERNAME}
}
# Delete User
func_del_user() {
read -p "Enter username: " USERNAME
grep $USERNAME /etc/passwd 1> /dev/null 2> /dev/null
if [ $? -ne 0 ]; then
echo ""
echo ""
echo "$USERNAME username is NOT exsit!"
echo "Exitting..."
exit 1
fi
GROUP_NAME=`groups $USERNAME | cut -d" " -f3`
userdel -r $USERNAME
rm -rfv -v /sftp/${GROUP_NAME}/${USERNAME}
}
#----------
# Main Part
#----------
clear # Clear Screen
echo "USER ACTIONS"
echo "------------"
echo "1) Add User"
echo "2) Delete User"
echo ""
read -p "Enter Your Choice: " MENU_CHOICE2
case $MENU_CHOICE2 in
1)
func_list_groups
func_add_user
;;
2)
func_del_user
;;
*)
echo "You chose unwisely.";;
esac
- Testing the script:
[root@sftp-server tmp]# ./add_del_user.sh
USER ACTIONS
------------
1) Add User
2) Delete User
Enter Your Choice: 1
Current Used Groups:
--------------------
GROUP #1: companies (rw)
GROUP #2: nusers (rw)
GROUP #3: rousers (ro)
Enter username: ab
Enter Group Name: rousers
Enter User Password:
Changing password for user ab.
passwd: all authentication tokens updated successfully.
mkdir: created directory ‘/sftp/rousers/ab’
changed ownership of ‘/sftp/rousers/ab’ from root:root to ab:rousers
mode of ‘/sftp/rousers/ab’ changed from 0755 (rwxr-xr-x) to 0700 (rwx------)
[root@sftp-server tmp]# sftp ab@localhost
ab@localhost's password:
Connected to localhost.
sftp> pwd
Remote working directory: /
sftp> ls -lh
drwx------ 0 1009 1002 6B Sep 23 13:12 ab
drwx------ 0 1006 1002 29B Sep 23 12:52 rouser1
drwx------ 0 1007 1002 6B Sep 23 12:35 rouser2
drwx------ 0 1008 1002 6B Sep 23 12:35 rouser3
sftp> cd ab
sftp> !ls
add_del_user.sh anaconda-ks.cfg ks-script-51xRrk systemd-private-2b0f49d01f0d466292863ddd50a5ffae-chronyd.service-tHAMF3 yum.log
sftp> put add_del_user.sh
Uploading add_del_user.sh to /ab/add_del_user.sh
remote open("/ab/add_del_user.sh"): Permission denied
sftp> exit
Case #2
- I will create three OS groups:
- companies -> has N number of companies which has read and write privileges.
- nusers -> has N number of normal users which has read and write privileges.
- rousers -> has N number of normal users which has read-only privileges.
for group in companies nusers rousers; do
groupadd $group
done
- I will create required folders for above groups and set required permissions:
mkdir -pv /sftp/{companies,nusers,rousers}
for dir in companies nusers rousers; do
chown -v root:root /sftp/${dir}
done
- For demonstration purpose, Each group of the above groups has the following members:
- companies: company1, company2 and company3 users. EACH USER WILL NOT EVEN EABLE TO SEE OTHER USER HOME DIR
- nusers: nuser1, nuser2 and nusers3 users. EACH USER WILL NOT EVEN EABLE TO SEE OTHER USER HOME DIR
- rousers: rouser1, rouser2 and rouser3 users. EACH USER WILL NOT EVEN EABLE TO SEE OTHER USER HOME DIR
for id in 1 2 3; do
adduser company${id} -g companies -s /sbin/nologin
echo "redhat" | passwd --stdin company${id}
mkdir -v /sftp/companies/company${id}
chown -v root:root /sftp/companies/company${id}
chmod -v 755 /sftp/companies/company${id}
mkdir -v /sftp/companies/company${id}/files
chown -v company${id}:companies /sftp/companies/company${id}/files
chmod -v 700 /sftp/companies/company${id}/files
done
for id in 1 2 3; do
adduser nuser${id} -g nusers -s /sbin/nologin
echo "redhat" | passwd --stdin nuser${id}
mkdir -v /sftp/nusers/nuser${id}
chown -v root:root /sftp/nusers/nuser${id}
chmod -v 755 /sftp/nusers/nuser${id}
mkdir -v /sftp/nusers/nuser${id}/files
chown -v nuser${id}:nusers /sftp/nusers/nuser${id}/files
chmod -v 700 /sftp/nusers/nuser${id}/files
done
for id in 1 2 3; do
adduser rouser${id} -g rousers -s /sbin/nologin
echo "redhat" | passwd --stdin rouser${id}
mkdir -v /sftp/rousers/rouser${id}
chown -v root:root /sftp/rousers/rouser${id}
chmod -v 755 /sftp/rousers/rouser${id}
mkdir -v /sftp/rousers/rouser${id}/files
chown -v rouser${id}:rousers /sftp/rousers/rouser${id}/files
chmod -v 700 /sftp/rousers/rouser${id}/files
done
- Add the following lines to '/etc/ssh/sshd_config' file:
[root@sftp-server ~]# cp -av /etc/ssh/sshd_config /root/orig_files/
‘/etc/ssh/sshd_config’ -> ‘/root/orig_files/sshd_config’
[root@sftp-server ~]# tail -n23 /etc/ssh/sshd_config
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Companies
Match Group companies
ChrootDirectory /sftp/companies/%u # Directory that 'companies' group members will change directory to
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
# nusers
Match Group nusers
ChrootDirectory /sftp/nusers/%u # Directory that 'nusers' group members will change directory to
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
# rousers
Match Group rousers
ChrootDirectory /sftp/rousers/%u # Directory that 'rousers' group members will change directory to
ForceCommand internal-sftp -R # read-only privileges
X11Forwarding no
AllowTcpForwarding no
- Restart sshd service:
[root@sftp-server ~]# systemctl restart sshd
- Testing upload and download for 'company1':
'company1' will not be able to see 'company2' and 'company3' as before.
[root@sftp-server ~]# sftp company1@localhost
company1@localhost's password:
Connected to localhost.
sftp> pwd
Remote working directory: /
sftp> ls -lh
drwx------ 0 1000 1000 6B Sep 23 13:45 files
sftp> cd files/
sftp> ls -lh
sftp> !ls
anaconda-ks.cfg orig_files
sftp> put anaconda-ks.cfg
Uploading anaconda-ks.cfg to /files/anaconda-ks.cfg
anaconda-ks.cfg 100% 1266 1.7MB/s 00:00
sftp> ls -lh
-rw------- 0 1000 1000 1.2K Sep 23 13:46 anaconda-ks.cfg
sftp> exit
[root@sftp-server ~]# cd /tmp/
[root@sftp-server tmp]# sftp company1@localhost
company1@localhost's password:
Connected to localhost.
sftp> pwd
Remote working directory: /
sftp> ls -lh
drwx------ 0 1000 1000 29B Sep 23 13:46 files
sftp> cd files/
sftp> ls -lh
-rw------- 0 1000 1000 1.2K Sep 23 13:46 anaconda-ks.cfg
sftp> get anaconda-ks.cfg
Fetching /files/anaconda-ks.cfg to anaconda-ks.cfg
/files/anaconda-ks.cfg 100% 1266 1.4MB/s 00:00
sftp> exit
- Testing upload and download for 'ruser1':
Upload is not working as it is read-only user.
'rouser1' will not be able to see 'rouser2' and 'rouser3' as before.
[root@sftp-server ~]# sftp rouser1@localhost
rouser1@localhost's password:
Connected to localhost.
sftp> pwd
Remote working directory: /
sftp> ls -lh
drwx------ 0 1006 1002 6B Sep 23 13:41 files
sftp> cd files/
sftp> ls -lh
sftp> !ls -lh
total 4.0K
-rw-------. 1 root root 1.3K Sep 22 17:28 anaconda-ks.cfg
drwxr-xr-x. 2 root root 25 Sep 23 13:42 orig_files
sftp> put anaconda-ks.cfg
Uploading anaconda-ks.cfg to /files/anaconda-ks.cfg
remote open("/files/anaconda-ks.cfg"): Permission denied
sftp> ls -lh
sftp> exit
