topic Re: How to allow secure file access from SFTP processes with different GIDs ? in Operating System - Linux

How to allow secure file access from SFTP processes with different GIDs ?

Thomas Ritter — Thu, 12 Aug 2010 04:17:10 GMT

Is it possible to allow secure file access from SFTP processes whose primary GID is different ? We do not allow any "other" access.

Say process a has GID of abc and process b has GID of def. Ideally I want to have all the files and directories to have the group GID as abc. But a non root system process also needs to have access, but the GID is def. In the OpenVMS world we can achieve this with Access Control Lists.

What can be done in the linux world ?

Re: How to allow secure file access from SFTP processes with different GIDs ?

Thomas Ritter — Thu, 12 Aug 2010 05:23:25 GMT

Answering my own question I find

$ uname -a
Linux test_box 2.4.21-52.ELsmp #1 SMP Tue Sep 25 15:13:04 EDT 2007 i686 i686 i386 GNU/Linux

$ setfacl --version
setfacl 2.2.3

Re: How to allow secure file access from SFTP processes with different GIDs ?

Steven Schweda — Thu, 12 Aug 2010 05:35:58 GMT

> [...] In the OpenVMS world [...]

In VMS, a user belongs to exactly one group.
In a UNIX(-like) OS, a user can belong to
many groups. Some things which require an
ACL in VMS can be done using group
permissions in GNU/Linux, by adding users to
the right group.

Re: How to allow secure file access from SFTP processes with different GIDs ?

Thomas Ritter — Thu, 12 Aug 2010 05:43:55 GMT

We are dealing with SFTP operations. AFAIK who cannot change the GID during and SFTP operation. The fundamental problem is we run two major applications, one which if implemented correctly uses virtual uid and gids and other which requires real uid and gids. virtual meaning not in /etc/passwd or /etc/group. The application controls the access.

If the ACL works as I read, then the real uid, gid will be granted access using the acl and others by the application.