SFTP Plugin; group read-only instead of read-write

    • SFTP Plugin; group read-only instead of read-write

      I have successfully setup and configured the SFTP plugin.
      I am using SFTP to remote mont shares with SSHFS.
      In the Lan at home I use CIFS/SMB for mounting shares.
      Nearly everything works like a charme!
      The only problemm ist file access rights.
      When I create files on shares mounted with CIFS/SMB owner is root and group has RWX (read and write).
      When I create files on shares mounted with SFTP owner is sftpuser and group has only R (read) access.
      The problem now occours when I have created files remote (SSHFS/SFTP mount) come back home (CIFS/SMB mount of the same share) and want to edit the file which I created remote (with SFTP/SSHFS). - I cant modify files.
      SMB shares are own by root (not depanding on the Luser used to login to SAMBA, well used to SMB mount the specific share).
      I see two things which could solve the trouble:
      1. SFTP plugin/service schould use (run as) root
      or
      2. SFTP schould not cut of rights for the group
      I guesss SFTP is using ssome umask mask which cuts of write access for the group. I also know there schould be an option to set umask for sftp; but I do not know how to configure this in the SFTP Plugin. (Other plugins e.g. transmission have umask seeting in the config GUI as far as I have read in some threads here).

      Any help appreciated!
      Thanx in advance!

      Greetings from Bavaria - Jochen

      P.S.:.: In general ofcourse if I set privilege (and ACL) for a specific share to a specific user and enable the user in a service e.g. SAMBA, SFTP, FTP,... this user schould have access to the share exactly as set with privileges, regardless of the protocoll (SMB, SSH/SFTP,...) he/she is accessing the share. IMHO this would be one advantage of using an Web GUI NAS instad of setting up a just CLI operated, manualy configured debian server.

      The post was edited 1 time, last by Jochen ().

    • Jochen wrote:

      SFTP plugin/service schould use (run as) root
      It does.
      root 1066 0.0 0.0 15848 6560 ? Ss Jan09 0:00 /usr/sbin/sshd -D -f /etc/ssh/omv_sftp_config

      Jochen wrote:

      SFTP schould not cut of rights for the group
      It isn't. The plugin doesn't create a user or a user called sftpuser. You are creating that user. And that is how sftp works - the file is owned by the user that created it. If you can't access the file via smb after this, you need to fix the permissions. There is no service changing them.
      omv 5.3.2 usul | 64 bit | 5.3 proxmox kernel | omvextrasorg 5.2.4
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • Dear ryecoaaron,

      Thanx for your (very fast!) answer!

      But it does not help me (yet); Mightbe because I do not undertsand
      exactly what to do or I did not relay clear point out my problem.

      Well I guess the use case which I have trouble with is clear(?!?)
      But not tech details.

      Your right I have created a user called ftpuser1. I have also Users
      Jochen and another one, my wife, lets call user "W".
      We both want to access share "Daten1", in LAN with SMB/CIFS as well
      as remote with SFTP.
      All these users are in group users (as well as in others, e.g.
      sftp).

      On she share "Daten1", I set privileges read+write to Joche, sftpuser
      and "W"
      I have set ACL for the share owner root:rwx, group users:rwx

      I have made some more investigations and it showed that if I mount SMB
      with GVFS (just in the GUI in Thunar location the server and shares...),
      I am able to write to files which I created with the SFTP/SSHFS mount.
      So the effect is some how related to the local mount (options), but also
      somehow to some server rights (ACL) and/or umask settings. Im am a bit
      confused now.

      Might be you could have a look an the tests/results below, and help me
      to look/search in the correct direction (at the moment I still guess it
      is due to a umask e.g. 0022 which SFTP server is using/setting, or my SSHFS mount options are incorrect, but might be I am completly wrong with both).
      I would be happy if you could point me to the best practice way (or point me to points to pay attenion on) of using (more than one) shares, with more than one users, mounting mixed SMB and SFTP/SSHFS.


      I made a test with 3 files, created each with another mount:
      1. TestSMBMount.txt: created with SMB using mount -t cifs ...
      2. TestSFTPMount.txt: created with SFTP using SSHFS
      3. TestSMBGVFSMount.txt: created with SMB using GVFS with Thunar GUI


      When I ssh into OMV I see the following.


      ssh1@OMV:/srv/dev-disk-by-label-Data1/Daten1/zSchublade/Test/testdir$ id
      uid=1009(ssh1) gid=100(users) groups=100(users),27(sudo),112(ssh)



      ssh1@OMV:/srv/dev-disk-by-label-Data1/Daten1/zSchublade/Test/testdir$ ls -l
      total 16
      -rw-r--r--+ 1 sftpdaten1 users 0 Jan 15 21:30 TestSFTPMount.txt
      -rw-rw-r--+ 1 Jochen users 0 Jan 14 22:47 TestSMBGVFSMount.txt
      -rw-rwxr--+ 1 Jochen users 35 Jan 14 23:05 TestSMBMount.txt



      ssh1@OMV:/srv/dev-disk-by-label-Data1/Daten1/zSchublade/Test/testdir$ getfacl TestSFTPMount.txt
      # file: TestSFTPMount.txt
      # owner: sftpdaten1
      # group: users
      user::rw-
      user:webdav:rwx #effective:r--
      user:ssh4:rwx #effective:r--
      user:sftp:rwx #effective:r--
      user:sftpdaten1:rwx #effective:r--
      group::rwx #effective:r--
      group:backup:rwx #effective:r--
      group:users:rwx #effective:r--
      group:webdav-users:rwx #effective:r--
      group:ja:rwx #effective:r--
      mask::r--
      other::r--


      ssh1@OMV:/srv/dev-disk-by-label-Data1/Daten1/zSchublade/Test/testdir$ getfacl TestSMBMount.txt
      # file: TestSMBMount.txt
      # owner: Jochen
      # group: users
      user::rw-
      user:webdav:rwx
      user:ssh4:rwx
      user:sftp:rwx
      user:sftpdaten1:rwx
      group::rwx
      group:backup:rwx
      group:users:rwx
      group:webdav-users:rwx
      group:ja:rwx
      mask::rwx
      other::r--


      stSMBGVSMount.txt
      # file: TestSMBGVFSMount.txt
      # owner: Jochen
      # group: users
      user::rw-
      user:webdav:rwx #effective:rw-
      user:ssh4:rwx #effective:rw-
      user:sftp:rwx #effective:rw-
      user:sftpdaten1:rwx #effective:rw-
      group::rwx #effective:rw-
      group:backup:rwx #effective:rw-
      group:users:rwx #effective:rw-
      group:webdav-users:rwx #effective:rw-
      group:ja:rwx #effective:rw-
      mask::rw-
      other::r--



      I have mounted with the following commands:


      SMB:
      mount -t cifs -o
      username=Jochen,password=MyPW,uid=1001,gid=1001,file_mode=0660,dir_mode=0770,vers=2.0
      //MyOMV/Daten1 ~/MyLocalMountPoint


      SFTP:
      sshfs -p 222 -o
      compression=no,Ciphers=chacha20-poly1305@openssh.com,cache=yes,cache_timeout=20,compression=no,allow_other,idmap=user,uid=$(id
      -u),gid=$(id
      -g),reconnect,ServerAliveInterval=10,ServerAliveCountMax=3,password_stdin
      sftpdaten1@MyOMV:/Daten1/ ~/MyLocalMountPoint


      Mount SSHFS (SFTP)
      ssh1@OMV:/srv/dev-disk-by-label-Data1/Daten1/zSchublade/Test/testdir$ id
      uid=1009(ssh1) gid=100(users) groups=100(users),27(sudo),112(ssh)
      ssh1@OMV:/srv/dev-disk-by-label-Data1/Daten1/zSchublade/Test/testdir$

      On the local machine it shows:


      A) mounted by SFTP/SSHFS:

      mount -l:
      sftpdaten1@omv.wjlbyzwffuyn4u0t.myfritz.net:/Daten1/ on
      /home/jochen/Server/Daten1 type fuse.sshfs
      (rw,nosuid,nodev,relatime,user_id=1001,group_id=1001,allow_other)

      ls -l:
      -rw-r--r-- 1 jochen jochen 0 Jan 15 21:30 TestSFTPMount.txt
      -rw-rw-r-- 1 jochen jochen 0 Jan 14 22:47 TestSMBGVSMount.txt
      -rw-rwxr-- 1 jochen jochen 35 Jan 14 23:05 TestSMBMount.txt



      B) mounted by SMB:


      mount -l:
      //omv.fritz.box/Daten1 on /home/jochen/Server/Daten1 type cifs
      (rw,relatime,vers=2.0,sec=ntlmssp,cache=strict,username=Jochen,domain=OMV,uid=1001,forceuid,gid=1001,forcegid,addr=2001:16b8:2620:5000:d4e0:cefa:ccc8:5a36,file_mode=0660,dir_mode=0770,nounix,serverino,mapposix,rsize=65536,wsize=65536,echo_interval=60,actimeo=1)

      ls -l:
      -rw-rw---- 1 jochen jochen 0 Jan 15 21:30 TestSFTPMount.txt
      -rw-rw---- 1 jochen jochen 0 Jan 14 22:47 TestSMBGVSMount.txt
      -rw-rw---- 1 jochen jochen 35 Jan 14 23:05 TestSMBMount.txt

      But when trying to write (open with leafpad type s.th. in cklick "Save")
      file TestSFTPMount.txt I get an error sayn no permission.

      Yor help is realy apprecheated :)


      Btw.: For the moment as a workaround I decided to use SFTP/SSHFS also
      local (LAN) instead of SMB (mount -t cifs). But general I want to use
      SMB when connecting local (for some reasons, e.g. that I will have users with Windows10 in futur also).


      Best greetings from Bavaria - Jochen

      P.S.: I read some other threads and noticed that you decided to provide SFTP plugin for OMV 5; I am realy very glad about this!!! IMHO SFTP/SSHFS is just THE fast, easy to setup (especialy for firewalls and NAT) and secure option for remote file access.
    • Jochen wrote:

      total 16
      -rw-r--r--+ 1 sftpdaten1 users 0 Jan 15 21:30 TestSFTPMount.txt
      -rw-rw-r--+ 1 Jochen users 0 Jan 14 22:47 TestSMBGVFSMount.txt
      -rw-rwxr--+ 1 Jochen users 35 Jan 14 23:05 TestSMBMount.txt
      I wish the post wasn't so long... Your sftp mount is much more restrictive. The gvfs mount is the only one that makes sense. If you can get all three methods to make the files as the users group and writeable by the users group, it would probably work how you want. Please don't mess with ACLs though. I hate ACLs.
      omv 5.3.2 usul | 64 bit | 5.3 proxmox kernel | omvextrasorg 5.2.4
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • Dear ryecoaaron,


      Thanx for your answer!
      In the meantime I have test with some sshfs mount options but didnt
      mange to di not manage to create files with -rw-rw-... from an sshfs
      mount.
      Using gvfs is not rely an option, because I cant define a mount point
      (well a workarround would be using symlink to the location where the OMV
      share should have been mounted not tryed yet).
      I also read some (many) threads about sshfs and sftp via openssh-server,
      but did not find a solution which works for me; e.g. some threads talk
      about setting umask on the server side ("Subsystem sftp internal-sftp -u
      0002" in sshd_conf) as the solution; but in OMV SFTP plugin I cant set
      these options an trye out if it helps (as I saw this line which exists
      in the general section as well in each shares section is someway
      hardcoded in the SFTP plugin).
      And yes, youre right the solution can be just on the client side, as
      gvfs-mount results show. Do you (or any other person in this forum) have
      hints which options to set or not to set when mounting with sshfs? This
      would help me much! As well as any other (server side) settings/options
      which have the result that I can use a share with two or more users
      with SFTP as well as with CIFS mount.


      BR - Jochen
    • Users Online 1

      1 Guest