Linux – Why does default setfacl fail for nested directories

acllinuxmkdirpermissionssftp

I am using sftp with the internal-sftp for debian.
What I'm trying to acomplish is to jail all users to a specific folder which is working fine. I also need to have a single user that has "admin" rights on sftp but is not a root user. The admin user will be putting files in the sftp users directories, so they will be able to access them.
The admin user will be a "non-technical" person using winscp or other client to do stuff. There is no way I can force him to use bash.

I came up with the following solution:

  1. SFTP configuration

Using sshd_config I set up this:

Match group users
ChrootDirectory /home
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp -d %u

Match group sftponly
ChrootDirectory /home
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp -d admin/sftp/%u

So my 'admin' user has all the sftp users in his home. 'admin' is also in the users group. all other users are created in the sftponly group. 'admin' is also in the sftponly group.

  1. Directory setup

The directory setup is as follows:

-/
 -home
  -admin
   -sftp
    -user1
    -user2

I created a script for creating the sftp users that perform the following:

  1. add user $U:

    useradd -d / -g 1000 -M -N -s /usr/sbin/nologin $U

  2. set user $U password

    echo "$U:$P" | chpasswd

  3. create directory /home/admin/sftp/$U

    mkdir $SFTP_PATH/$U

  4. set ownership

    chown $U:sftponly $SFTP_PATH/$U

  5. set permissions

    chmod u=rx,go= -R $SFTP_PATH/$U
chmod g+s $SFTP_PATH/$U

  6. Setup ACL

    setfacl -Rm u:admin:rwx,u:$U:r-x,g::--- $SFTP_PATH/$U
setfacl -d -Rm u:admin:rwx,u:$U:r-x,g::--- $SFTP_PATH/$U

So far so good.
Now what I wan't to have in point 6 is a setup that will allow the user admin to create a subdirectory in the $SFTP_PATH/$U that will be accessible to the $U itself. This works fine for the first directory created (user tester):

# pwd
/home/admin/sftp/tester
# ls -alh
dr-xrwx---+  2 tester          sftponly 4.0K Oct 22 16:06 tester
# su admin
$ cd /home/admin/sftp/tester
$ mkdir subdir
$ ls -alh
admin@server:/home/admin/sftp/tester$ ls -alh
total 20K
dr-xrwx---+  3 tester   sftponly 4.0K Oct 22 22:41 .
drwxrwx---+ 28 admin sftponly 4.0K Oct 22 15:19 ..
dr-xrwx---+  2 admin users    4.0K Oct 22 22:41 subdir
$ cd subdir
admin@storage:/home/admin/sftp/tester/subdir$ mkdir nesteddir
mkdir: cannot create directory ‘nesteddir’: Permission denied

When I test the acl i get:

admin@storage:/home/admin/sftp/tester$ getfacl subdir/
# file: subdir/
# owner: admin
# group: users
user::r-x
user:admin:rwx
user:tester:r-x
group::---
mask::rwx
other::---
default:user::r-x
default:user:admin:rwx
default:user:tester:r-x
default:group::---
default:mask::rwx
default:other::---

So my question is: Being admin and having setfacl for admin as rwx, why can I create the directory subdir but cannot create the directory nested?

Is there something I am missing here?
I know of proftpd and pureftp but if possible I would like to use the ssh way. If there is no way to do this this way I would appreciate to point me in the right direction and recommend software that would be able to achieve this setup out of the box.

Please note: user admin has his own directory under /home/admin/sharedfiles/, where he stores files that are then shared with the sftp users. The files are shared using hard links in their folders. For example if admin wants to share a file (the files are very big like 500GB) with 3 users he just puts hardlinks in their folders to those files and the can download them without having to copy the big files to the folder of each user.

The issue occured when admin wanted to put different categories of shares in different folders fo the users.

EDIT:

I noticed that if I change the ownership of the newly created folder to 'tester' – then the creating of nested directories is possible for the admin user. However I still have to change the ownership of the nested directory to allow for further directory nesting.

# chown tester:sftponly subdir
# su admin
$ cd /home/admin/sftp/tester/subdir
$ mkdir nested                            # <----- works fine
$ cd nested
$ mkdir deepdir
mkdir: cannot create directory ‘deepdir’: Permission denied

So if I wanted to create the next nested directory then I have to chown tester:sftponly nested and then as user admin I can create the deepdir directory.

Please note that the ACL is inherited and theoretically user admin has rwx permissions to all files and directories under the first folder, that is subdir.

Maybe this will help in finding the reason for failing setfacl?

Best Answer

Group varies when creating subdir:

drwxrwx---+ 28 admin sftponly 4.0K Oct 22 15:19 ..
dr-xrwx---+  2 admin *users* 4.0K Oct 22 22:41 subdir

Nested directory creation possibly restricted by the subdir's distinct group.

Related Question