SFTP Plugin; group read-only instead of read-write

  • I have successfully setup and configured the SFTP plugin.
    I am using SFTP to remote mont shares with SSHFS.
    In the Lan at home I use CIFS/SMB for mounting shares.
    Nearly everything works like a charme!
    The only problemm ist file access rights.
    When I create files on shares mounted with CIFS/SMB owner is root and group has RWX (read and write).
    When I create files on shares mounted with SFTP owner is sftpuser and group has only R (read) access.
    The problem now occours when I have created files remote (SSHFS/SFTP mount) come back home (CIFS/SMB mount of the same share) and want to edit the file which I created remote (with SFTP/SSHFS). - I cant modify files.
    SMB shares are own by root (not depanding on the Luser used to login to SAMBA, well used to SMB mount the specific share).
    I see two things which could solve the trouble:
    1. SFTP plugin/service schould use (run as) root
    or
    2. SFTP schould not cut of rights for the group
    I guesss SFTP is using ssome umask mask which cuts of write access for the group. I also know there schould be an option to set umask for sftp; but I do not know how to configure this in the SFTP Plugin. (Other plugins e.g. transmission have umask seeting in the config GUI as far as I have read in some threads here).


    Any help appreciated!
    Thanx in advance!


    Greetings from Bavaria - Jochen


    P.S.:.: In general ofcourse if I set privilege (and ACL) for a specific share to a specific user and enable the user in a service e.g. SAMBA, SFTP, FTP,... this user schould have access to the share exactly as set with privileges, regardless of the protocoll (SMB, SSH/SFTP,...) he/she is accessing the share. IMHO this would be one advantage of using an Web GUI NAS instad of setting up a just CLI operated, manualy configured debian server.

    • Offizieller Beitrag

    SFTP plugin/service schould use (run as) root

    It does.
    root 1066 0.0 0.0 15848 6560 ? Ss Jan09 0:00 /usr/sbin/sshd -D -f /etc/ssh/omv_sftp_config


    SFTP schould not cut of rights for the group

    It isn't. The plugin doesn't create a user or a user called sftpuser. You are creating that user. And that is how sftp works - the file is owned by the user that created it. If you can't access the file via smb after this, you need to fix the permissions. There is no service changing them.

    omv 7.0.4-2 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.10 | compose 7.1.2 | k8s 7.0-6 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • Dear ryecoaaron,


    Thanx for your (very fast!) answer!


    But it does not help me (yet); Mightbe because I do not undertsand
    exactly what to do or I did not relay clear point out my problem.


    Well I guess the use case which I have trouble with is clear(?!?)
    But not tech details.


    Your right I have created a user called ftpuser1. I have also Users
    Jochen and another one, my wife, lets call user "W".
    We both want to access share "Daten1", in LAN with SMB/CIFS as well
    as remote with SFTP.
    All these users are in group users (as well as in others, e.g.
    sftp).


    On she share "Daten1", I set privileges read+write to Joche, sftpuser
    and "W"
    I have set ACL for the share owner root:rwx, group users:rwx


    I have made some more investigations and it showed that if I mount SMB
    with GVFS (just in the GUI in Thunar location the server and shares...),
    I am able to write to files which I created with the SFTP/SSHFS mount.
    So the effect is some how related to the local mount (options), but also
    somehow to some server rights (ACL) and/or umask settings. Im am a bit
    confused now.


    Might be you could have a look an the tests/results below, and help me
    to look/search in the correct direction (at the moment I still guess it
    is due to a umask e.g. 0022 which SFTP server is using/setting, or my SSHFS mount options are incorrect, but might be I am completly wrong with both).
    I would be happy if you could point me to the best practice way (or point me to points to pay attenion on) of using (more than one) shares, with more than one users, mounting mixed SMB and SFTP/SSHFS.



    I made a test with 3 files, created each with another mount:
    1. TestSMBMount.txt: created with SMB using mount -t cifs ...
    2. TestSFTPMount.txt: created with SFTP using SSHFS
    3. TestSMBGVFSMount.txt: created with SMB using GVFS with Thunar GUI



    When I ssh into OMV I see the following.



    ssh1@OMV:/srv/dev-disk-by-label-Data1/Daten1/zSchublade/Test/testdir$ id
    uid=1009(ssh1) gid=100(users) groups=100(users),27(sudo),112(ssh)




    ssh1@OMV:/srv/dev-disk-by-label-Data1/Daten1/zSchublade/Test/testdir$ ls -l
    total 16
    -rw-r--r--+ 1 sftpdaten1 users 0 Jan 15 21:30 TestSFTPMount.txt
    -rw-rw-r--+ 1 Jochen users 0 Jan 14 22:47 TestSMBGVFSMount.txt
    -rw-rwxr--+ 1 Jochen users 35 Jan 14 23:05 TestSMBMount.txt




    ssh1@OMV:/srv/dev-disk-by-label-Data1/Daten1/zSchublade/Test/testdir$ getfacl TestSFTPMount.txt
    # file: TestSFTPMount.txt
    # owner: sftpdaten1
    # group: users
    user::rw-
    user:webdav:rwx #effective:r--
    user:ssh4:rwx #effective:r--
    user:sftp:rwx #effective:r--
    user:sftpdaten1:rwx #effective:r--
    group::rwx #effective:r--
    group:backup:rwx #effective:r--
    group:users:rwx #effective:r--
    group:webdav-users:rwx #effective:r--
    group:ja:rwx #effective:r--
    mask::r--
    other::r--



    ssh1@OMV:/srv/dev-disk-by-label-Data1/Daten1/zSchublade/Test/testdir$ getfacl TestSMBMount.txt
    # file: TestSMBMount.txt
    # owner: Jochen
    # group: users
    user::rw-
    user:webdav:rwx
    user:ssh4:rwx
    user:sftp:rwx
    user:sftpdaten1:rwx
    group::rwx
    group:backup:rwx
    group:users:rwx
    group:webdav-users:rwx
    group:ja:rwx
    mask::rwx
    other::r--



    stSMBGVSMount.txt
    # file: TestSMBGVFSMount.txt
    # owner: Jochen
    # group: users
    user::rw-
    user:webdav:rwx #effective:rw-
    user:ssh4:rwx #effective:rw-
    user:sftp:rwx #effective:rw-
    user:sftpdaten1:rwx #effective:rw-
    group::rwx #effective:rw-
    group:backup:rwx #effective:rw-
    group:users:rwx #effective:rw-
    group:webdav-users:rwx #effective:rw-
    group:ja:rwx #effective:rw-
    mask::rw-
    other::r--




    I have mounted with the following commands:



    SMB:
    mount -t cifs -o
    username=Jochen,password=MyPW,uid=1001,gid=1001,file_mode=0660,dir_mode=0770,vers=2.0
    //MyOMV/Daten1 ~/MyLocalMountPoint



    SFTP:
    sshfs -p 222 -o
    compression=no,Ciphers=chacha20-poly1305@openssh.com,cache=yes,cache_timeout=20,compression=no,allow_other,idmap=user,uid=$(id
    -u),gid=$(id
    -g),reconnect,ServerAliveInterval=10,ServerAliveCountMax=3,password_stdin
    sftpdaten1@MyOMV:/Daten1/ ~/MyLocalMountPoint



    Mount SSHFS (SFTP)
    ssh1@OMV:/srv/dev-disk-by-label-Data1/Daten1/zSchublade/Test/testdir$ id
    uid=1009(ssh1) gid=100(users) groups=100(users),27(sudo),112(ssh)
    ssh1@OMV:/srv/dev-disk-by-label-Data1/Daten1/zSchublade/Test/testdir$


    On the local machine it shows:



    A) mounted by SFTP/SSHFS:


    mount -l:
    sftpdaten1@omv.wjlbyzwffuyn4u0t.myfritz.net:/Daten1/ on
    /home/jochen/Server/Daten1 type fuse.sshfs
    (rw,nosuid,nodev,relatime,user_id=1001,group_id=1001,allow_other)


    ls -l:
    -rw-r--r-- 1 jochen jochen 0 Jan 15 21:30 TestSFTPMount.txt
    -rw-rw-r-- 1 jochen jochen 0 Jan 14 22:47 TestSMBGVSMount.txt
    -rw-rwxr-- 1 jochen jochen 35 Jan 14 23:05 TestSMBMount.txt




    B) mounted by SMB:



    mount -l:
    //omv.fritz.box/Daten1 on /home/jochen/Server/Daten1 type cifs
    (rw,relatime,vers=2.0,sec=ntlmssp,cache=strict,username=Jochen,domain=OMV,uid=1001,forceuid,gid=1001,forcegid,addr=2001:16b8:2620:5000:d4e0:cefa:ccc8:5a36,file_mode=0660,dir_mode=0770,nounix,serverino,mapposix,rsize=65536,wsize=65536,echo_interval=60,actimeo=1)


    ls -l:
    -rw-rw---- 1 jochen jochen 0 Jan 15 21:30 TestSFTPMount.txt
    -rw-rw---- 1 jochen jochen 0 Jan 14 22:47 TestSMBGVSMount.txt
    -rw-rw---- 1 jochen jochen 35 Jan 14 23:05 TestSMBMount.txt


    But when trying to write (open with leafpad type s.th. in cklick "Save")
    file TestSFTPMount.txt I get an error sayn no permission.


    Yor help is realy apprecheated :)



    Btw.: For the moment as a workaround I decided to use SFTP/SSHFS also
    local (LAN) instead of SMB (mount -t cifs). But general I want to use
    SMB when connecting local (for some reasons, e.g. that I will have users with Windows10 in futur also).



    Best greetings from Bavaria - Jochen


    P.S.: I read some other threads and noticed that you decided to provide SFTP plugin for OMV 5; I am realy very glad about this!!! IMHO SFTP/SSHFS is just THE fast, easy to setup (especialy for firewalls and NAT) and secure option for remote file access.

    • Offizieller Beitrag

    total 16
    -rw-r--r--+ 1 sftpdaten1 users 0 Jan 15 21:30 TestSFTPMount.txt
    -rw-rw-r--+ 1 Jochen users 0 Jan 14 22:47 TestSMBGVFSMount.txt
    -rw-rwxr--+ 1 Jochen users 35 Jan 14 23:05 TestSMBMount.txt

    I wish the post wasn't so long... Your sftp mount is much more restrictive. The gvfs mount is the only one that makes sense. If you can get all three methods to make the files as the users group and writeable by the users group, it would probably work how you want. Please don't mess with ACLs though. I hate ACLs.

    omv 7.0.4-2 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.10 | compose 7.1.2 | k8s 7.0-6 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • Dear ryecoaaron,



    Thanx for your answer!
    In the meantime I have test with some sshfs mount options but didnt
    mange to di not manage to create files with -rw-rw-... from an sshfs
    mount.
    Using gvfs is not rely an option, because I cant define a mount point
    (well a workarround would be using symlink to the location where the OMV
    share should have been mounted not tryed yet).
    I also read some (many) threads about sshfs and sftp via openssh-server,
    but did not find a solution which works for me; e.g. some threads talk
    about setting umask on the server side ("Subsystem sftp internal-sftp -u
    0002" in sshd_conf) as the solution; but in OMV SFTP plugin I cant set
    these options an trye out if it helps (as I saw this line which exists
    in the general section as well in each shares section is someway
    hardcoded in the SFTP plugin).
    And yes, youre right the solution can be just on the client side, as
    gvfs-mount results show. Do you (or any other person in this forum) have
    hints which options to set or not to set when mounting with sshfs? This
    would help me much! As well as any other (server side) settings/options
    which have the result that I can use a share with two or more users
    with SFTP as well as with CIFS mount.



    BR - Jochen

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!