User can’t touch -t

ftppermissionsscp

When SCP'ing to my Fedora server, a user keeps getting errors about not being able to modify file timestamps ("set time: operation not permitted"). The user is not the owner of the file, but we cannot chown files to this user for security reasons. The user can sudo, but since this is happening via an SCP/FTP client, there's no way to do that either. And finally, we don't want to have to give this user root access, just to allow him to use a synchronization like rsync or WinSCP that needs to set timestamps.

The user is part of a group with full rw permissions on all relevant files and dirs. Any thoughts on how to grant user permission to touch -t these specific files without chowning them to him?

Further Info This all has to do with enabling PHP development in a single-developer scenario (ie: without SCM). I'm trying to work with Eclipse or NetBeans to work on a local copy of the PHP-based (WordPress) site, while allowing the user to "instantly" preview his changes on the development server. The user will be working remotely. So far, all attempts at automatic synchronization have failed – even using WinSCP in "watch folder" mode, where it monitors a local folder and attempts to upload any changes up to the remote directory error out because it always tries to set the date/timestamp.

The user does have sudo access, but I have been told that it's really not a good idea to work under 'root', so I have been unwilling to just log in as root to do this work. Besides, it ought not to be necessary. I would want some other, non-superuser to be able to do the same thing – using their account information, establish an FTP connection and be able to work remotely via sync. So the solution needs to work for someone without root access.

What staggers me is how much difficulty I'm having. All these softwares (NetBeans, Eclipse, WinSCP) are designed to allow synchronization, and they all try to write the timestamp. So it must be possible. WinSCP has the option to turn off "set timestamp", but this option becomes unavailable (always "on") when you select monitor/synchronize folder. So it's got to be something that is fairly standard.

Given that I'm a complete idiot when it comes to Linux, and I'm the dev "server admin" I can only assume it's something idiotic that I'm doing or that I have (mis)configured.

Summary In a nutshell, I want any users that have group r/w access to a directory, to be able to change the timestamp on files in that directory via SCP.

Best Answer

Why it doesn't work

When you attempt to change the modification time of a file with touch, or more generally with the underlying system call utime, there are two cases.

You are attempting to set the file's modification time to a specific time. This requires that you are the owner of the file. (Technically speaking, the process's effective user ID must be the owner of the file.²)
You are attempting to set the file's modification time to the current time. This works if and only if you have permission to write to the file. The reason for this exception is that you could achieve the same effect anyway by overwriting an existing byte of the file with the same value¹.

Why this typically doesn't matter

When you copy files with ftp, scp, rsync, etc., the copy creates a new file that's owned by whoever did the copy. So the copier has the permission to set the file's times.
With rsync, you won't be able to set the time of existing directories: they'll be set to the time when a file was last synchronized in them. In most cases, this doesn't matter. You can tell rsync not to bother with directory times by passing --omit-dir-times (-O).
With version control systems, revision dates are stored inside files; the metadata on the files is mostly irrelevant.

Solutions

This all has to do with enabling PHP development in a single-developer scenario (ie: without SCM).

Ok, stop right there. Just because there's a single developer doesn't mean you shouldn't use SCM. You should be using SCM. Have the developer check in a file, and give him a way to press a “deploy” button to check out the files from SCM into the live directory.

There is absolutely no technical reason why you shouldn't be using SCM, but there may be a human reason. If the person working on these files styles himself “developer”, he should be using SCM. But if this is a non-technical person pushing documents in, SCM might be too complicated. So go on pushing the files over FTP or SSH. There are three ways this can work.

Do you really need to synchronize times? As indicated above, rsync has an option to not synchronize times. Scp doesn't unless you tell it to. I don't know WinSCP but it probably can too.
Continue doing what you're doing, just ignore messages about times. The files are still being copied. This isn't a good option, because ignoring errors is always risky. But it is technically possible.
If you need flexibility in populating the files owned by the apache user, then the usual approach would be to allow the user SSH access as apache. The easy approach is to have the user create an SSH private key and add the corresponding public key to ~apache/.ssh/authorized_keys. This means the user will be able to run arbitrary commands as the apache user. Since you're ok with giving the user sudo rights anyway, it doesn't matter in your case. It's possible, but not so easy, to put more restrictions (you need a separate user database entry with a different name, the same user ID, a restricted shell and a chroot jail; details in a separate question, though this may already be covered on this site or on Server Fault).

¹ _{Or, for an empty file, write a byte and then truncate.}
² _{Barring additional complications, but none that I know of applies here.}

Related Solutions

How to set the default ftp root folder for an Ubuntu user connecting to VSFTPD

If you specify the user_config_dir in vsftpd.conf, you can set any config option on a per-user basis.

From man vsftpd.conf:

This powerful option allows the override of any config option specified in the manual page, on a per-user basis. Usage is simple, and is best illustrated with an example. If you set user_config_dir to be /etc/vsftpd_user_conf and then log on as the user "chris", then vsftpd will apply the settings in the file /etc/vsftpd_user_conf/chris for the duration of the session.

So, setting local_root in this way to the desired directory changes the FTP root for just that user.

How Do I Block Read Access to a Symbolic Link

Symlinks themselves have 777 because in Unix, file security is judged on a file/inode basis. If it's the same data they're operating on, it should have the same security conditions, regardless of the name you gave the system to open it.

[root@hypervisor test]# ls -l
total 0
lrwxrwxrwx. 1 root root 10 Jun  8 16:01 symTest -> /etc/fstab
[root@hypervisor test]# chmod o-rwx symTest
[root@hypervisor test]# ls -l
total 0
lrwxrwxrwx. 1 root root 10 Jun  8 16:01 symTest -> /etc/fstab
[root@hypervisor test]# :-(

Since permissions are set on the inode, it won't work with hard links even:

[root@hypervisor test]# echo "Don't Test Me, Bro" > testing123
[root@hypervisor test]# ls -l
total 4
lrwxrwxrwx. 1 root root 10 Jun  8 16:01 symTest -> /etc/fstab
-rw-r--r--. 1 root root 19 Jun  8 16:06 testing123
[root@hypervisor test]# ln testing123 newHardLink
[root@hypervisor test]# ls -l
total 8
-rw-r--r--. 2 root root 19 Jun  8 16:06 newHardLink
lrwxrwxrwx. 1 root root 10 Jun  8 16:01 symTest -> /etc/fstab
-rw-r--r--. 2 root root 19 Jun  8 16:06 testing123
[root@hypervisor test]# chmod 770 testing123
[root@hypervisor test]# chmod 700 newHardLink
[root@hypervisor test]# ls -lh
total 8.0K
-rwx------. 2 root root 19 Jun  8 16:06 newHardLink
lrwxrwxrwx. 1 root root 10 Jun  8 16:01 symTest -> /etc/fstab
-rwx------. 2 root root 19 Jun  8 16:06 testing123

A symlink isn't an inode (which actually stores the data you're wanting to secure) ergo in the Unix model it complicates things by having two different sets of permissions for protecting the same data.

It sounds like this is an attempt to give different groups of people different levels of access rights to the same file. If that's the case you're actually supposed to use POSIX ACL's (via setfacl and getfacl) to give the files appropriate permissions on the target of the symlink.

EDIT:

To elaborate on the direction you're probably wanting to go in, it's something like:

# setfacl -m u:apache:r-- "Folder 2.1"
# setfacl -m g:groupOfProgrammers:--- "Folder 2.1"
# setfacl -m g:groupOfProgrammers:r-x "Folder 1"

The above gives the apache user (substitute with whatever user your apache/nginx/whatever is running as) read-only access to the target of the symlink, and gives groupOfProgrammers read access to the directory the symlink is in (so that groupOfProgrammers can get a complete directory listing there), but turns all permission bits off for the same target of the symlink.