Hugo wrote:
Again, I'm worried about how such a shell would work when the user logs in from the console (at home)? Or do I have to set up 2 accounts for each? That would really make a mess of the file permissions...?
Well, if you trust the user to be able to log in to the console, why not trust them when then sftp in? Given console access, I can own over 90% of the systems out there in minutes. Knoppix is the ultimate skeleton key.
This looks interesting and much cleaner than the chrooted OpenSSH system (which really sounds like a bubblegum patching... is this really something that can not be done with the OpenSSH? How do corporations for example provide SCP/SFTP-file sharing to their customers? Do they use windows or do they just trust the customers to not go knocking around? Or do they all just apply these patches and hope that they can keep up with updates (as YOU probably doesn't handle this kind of stuff... ) I thought this would be the most used configuration for SCP/SFTP and I thought I was just blind to see some obvious switch somewhere... sigh.
Most hosting companies and whatnot do not have actual Unix accounts for their users. It's the best security of all: no user account, no login. We just give them FTP or access their files via an ssl website. Much more secure for all. That said, for some instances, I've used scponly to keep them in their place, but still allow secure file access. scponly is great. No worries about patching existing services.
I guess Linux isn't that safe operating system after all... one really needs to know and be active (=spend lot's of time to get the basic stuff working) to get it safe. Or buy the stuff from SSH.
Remember, just because the user can browse the filesystem through sftp, doesn't mean they can access anything they don't have permission to. Sftp doesn't give them access to anything they couldn't already access by logging in. The user sees the same access regardless of whether they login or sftp in. This isn't a flaw, but actually DESIRABLE in 99% of the cases. If you give a user an account, you are trusting that user with the public areas of that server. That means they'll be able to see most of the system files, but not write to them. That also usually means they can't view other people's home directories, and it definitely means they're not going to be seeing the inside of the file where the passwords are stored. Unlike windows, Linux is designed to be secure even to people who access the general filesystem. It also allows you to tailor your system to create directories where certain groups of people have access, but not others. Also, there is a HUGE difference in Linux in the area of read vs. write access. A normal user has read access to most things, but can only write to a very limited area. For instance, if I was a normal user on your system, I could sftp in and go to the /etc directory and see the passwd file, but I would be completely unable to upload a new one over it.