I have a regular linux filesystem and part of it is used with sftp.

My goal is for sftp-user to list and get files in a subdirectory. The user must also be able to delete files in that subdirectory. And finally, I do NOT want that user to be able to upload files into that subdirectory.

I struggle with the filepermissions for this subdirectory.

CodePudding user response：

It seems you cannot do this with file system permissions alone.

As described here, creating or deleting a file is actually a modification of the directory that contains the file. For that, the user needs to have a "w" permission to this directory. But at the same time, your requirements contradict each other - the user can either both create and delete files, or none of the above.

Apparently you need some kind of an additional authorization mechanism (maybe some web service, or a remotely callable script) to delete or upload the files, and then apply the authorizations there.

Edit: For instance, you could create a REST webservice running with a separate user account that has "w" permission to the directory. You need to perform very strict checking of the passed arguments and authenticate the users, otherwise a hacker could wreck your system.