我有一台 Debian 服务器,我想授予多个用户对该服务器上文件夹子树的只读访问权限。有没有办法做到这一点,而无需手动更改所有文件和文件夹的权限?
答案1
如果你真的想尽可能地限制它们,我建议你安装一个 chrooted ssh。这样,即使它们设法打破了它们的树,它们也无法在底层系统中四处搜索。
Debian 团队有一份关于这个主题的指南。
答案2
rssh 就是这么做的。来自 pizzashack.org:
rssh 是用于 OpenSSH 的受限 shell,仅允许 scp 和/或 sftp。它现在还支持 rdist、rsync 和 cvs。例如,如果您有一台服务器,您只希望允许用户通过 scp 复制文件,而不提供 shell 访问权限,则可以使用 rssh 来执行此操作。有关已知可以使用 rssh 的平台列表,请参阅平台支持页面。
答案3
原始的(来自 openbsd)sshd 可以执行完整的 chroot,引用自 sshd_config:
ChrootDirectory
Specifies a path to chroot(2) to after authentication. This
path, and all its components, must be root-owned directories that
are not writable by any other user or group. After the chroot,
sshd(8) changes the working directory to the user's home directo-
ry.
The path may contain the following tokens that are expanded at
runtime once the connecting user has been authenticated: %% is
replaced by a literal '%', %h is replaced by the home directory
of the user being authenticated, and %u is replaced by the user-
name of that user.
The ChrootDirectory must contain the necessary files and directo-
ries to support the user's session. For an interactive session
this requires at least a shell, typically sh(1), and basic /dev
nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4),
arandom(4) and tty(4) devices. For file transfer sessions using
``sftp'', no additional configuration of the environment is nec-
essary if the in-process sftp server is used, though sessions
which use logging do require /dev/log inside the chroot directory
(see sftp-server(8) for details).
The default is not to chroot(2).