====== Linux permissions ======

//see also: [[de:admin:linux:acl]]//

===== write only "drop" folders =====

<code>Subsystem sftp /usr/lib/openssh/sftp-server -u 666</code>

''man sftp-server'' says:

<code>-u umask
     Sets an explicit umask(2) to be applied to newly-created files
     and directories, instead of the user's default mask.</code>

Then you do ''setfacl -m d:u:adminuser:rwX /path/to/folder'' where ''adminuser'' is the user which should be able to read and write to the files. Similarly it works with ''setfacl -m d:g:admingroup:rwX /path/to/folder'' for a group.

If you allow regular SSH it's also possible to ''setfacl -m u::rwX'' as the user which created the files (=owner) and do what you like with them afterwards. Make sure that you only allow SFTP.

You can also use ACLs to set the default permissions: ''setfacl -m u::-,g::-'' makes it so the user creating the file doesn't have any permissions. It's always possible to change permissions as the owner (see first EDIT). The solution for this would be setting the setuid/setgid bits for the directory, but Linux doesn't allow setuid on directories (except if you use the GFS2 file system on Linux, or any FS on FreeBSD with the suiddir mount option).

You can also watch the folder for changes and chown the newly created files with this little script:

<file bash inotify-chown>#!/bin/sh
# Usage:
# inotify-chown <user>:<group> <dir>

inotifywait -mrq -e create -e modify --format %w%f "$2" | while read FILE
do
  chown -c $1 "$FILE"
done</file>