The best way to do this is to create a chroot jail for the user. I'll clean up the answer here when I get home but I posted the solution on my blog.
https://thefragens.com/chrootd-sftp-on-mac-os-x-server/
Below are most of the instruction from the above post.
First, you should create the new user in Workgroup Admin and either assign them access privileges for SSH via Server Admin or assign them to a group that has SSH access privileges. Further discussion is below.
From the Terminal, start off right.
sudo cp /etc/sshd_config /etc/sshd_config.bkup
sudo chown root /
sudo chmod 755 /
sudo mkdir -p /chroot/user/scratchpad
sudo chown -R root /chroot
sudo chown user /chroot/user/scratchpad
sudo chmod -R 755 /chroot
Every additional new user added will then be something along the lines of the following.
sudo mkdir -p /chroot/user2/scratchpad
sudo chown root /chroot/user2
sudo chown user2 /chroot/user2/scratchpad
sudo chmod -R 755 /chroot/user2
Every folder it the path to the chroot jail must be owned by root
. I don't think it matters what group the folder is in. What I did above was to
- backup
/etc/sshd_config
- change ownership of the root directory to
root
- change permissions of the root directory to 755
- create a chroot folder
- create a user folder inside the chroot folder
- create a folder inside the user folder that user can modify
- set ownership and permissions
Now to edit /etc/sshd_config
to the following.
#Subsystem sftp /usr/libexec/sftp-server
Subsystem sftp internal-sftp
Match User user
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
ChrootDirectory /chroot/user
This creates a chroot jail that when the user logs in will drop them into the folder /chroot/user
, in that folder is a folder they can add things to /chroot/user/scratchpad
.
If you want to create a Group in Workgroup Admin for 'Chroot Users' then add the new users that you created in Workgroup Admin to the Group you won't have to keep editing the /etc/sshd_config
file. Instead of the above, add the following. Make sure you add the 'Chroot Users' group to the SSH access ACL in Server Admin.
Match Group chrootusers
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
ChrootDirectory /chroot/%u
To test whether the above is working, issue the following from the terminal.
$ sftp user@domain.com
Password:
sftp>
Copying of files in Applescript is best done either through System Events or Finder, using the duplicate … to
command, i.e.
tell application "System Events" to duplicate sourceFile to targetFolder
where both sourceFile
and targetFolder
need to be the correct object type for the application used – meaning disk item or finder item (both objects can be created from AppleScript alias objects, or textual path values with a bit of type coercion – I’d add the details, but you have not stated how the paths to both are stored / acquired in your script).
A few notes on your code:
- There is no need to use globals when you have defined them as properties already. AppleScript properties are script scoped and persist across execution – they are only reset when the script is recompiled. If you assign those that need user setting
missing value
when declaring, you can even check if they are already set and skip re-prompting the user (there would be an even more comfortable and secure solution if Apple hadn’t deprecated Keychain Access Scripting).
There is no need for the repeated assignments and recursive call in your connectToServer()
handler. The following code
set timeOutCounter to 0
repeat while (list disks) does not contain serverName and timeOutCounter is less than timeOutInterval
-- mount drive
delay someInterval -- recommended, so you don’t hectically loop
set timeOutCounter to timeOutCounter + someInterval -- time out loop
end repeat
will try to connect in the interval defined by someInterval
, until the mount is available or timeOutInterval
is reached (assuming these values are declared. As properties, best – see above).
- You might also want to offer your user a more comfortable way of selecting the target folder than typing a folder name from memory. Check out Standard Additions’s AppleScript dictionary for the
choose folder
command.
- Finally, but that is mainly a matter of taste and coding style, I’d rather move the
display dialog
command into its own handler and call that, if needed repeatedly, from the script body, than use a C style mainLoop
handler. I’ve found that, generally speaking, AppleScript runs out of Stack space easily when recursing and can get very confused about variable assignments, so it is a good idea to avoid recursive constructs where they are not necessary.
Best Answer
You can reference the files like this: