Ubuntu – SSHFS files from one server to another


I am trying to find the most secure way to transfer files from one server to another.

I have the following architecture:


Currently I am using the main user salamis in order to mount the directories.

The files in the original directory are created through a PHP file manager elfinder.

Unfortunately, I am not able to move, rename or delete any file from the mounted directory through PHP. I get permission denied.

1) Is it because I mounted the filesystem using salamis instead of www-data?

2) Is it secure to mount the filesystem on Server 2 as www-data ? If yes, how can I achieve that? www-data does not have a password and I cannot login using su -m www-data. I get authentication failure.

3) Can you think of a better architecture?

Best Answer

SSHFS is a FUSE filesystem. These are managed by a user-land process which runs as the user who mounts the filesystem: that sshfs process you run doubles as the filesystem driver. By default, most FUSE filesystems only allow the mounting user to access files inside.

In order to be able to access files through sshfs, you need three things:

  1. The user who is authenticated over ssh on server1 must be able to access the files.
  2. The user who tries to access the sshfs filesystem on server2 must have the necessary access permissions.
  3. The user who tries to access the sshfs filesystem on server2 must be allowed to access that filesystem.

As I wrote above, only the mounting user has that last permission. You can relax this by adding -o allow_user to the sshfs command line, but this won't solve the other two problems. Note that -o allow_user only takes effect if /etc/fuse.conf contains user_allow_user or you are running sshfs as root.

On server2, you need to either run sshfs as the www-data user (whom you will have to give access to the SSH private key), or enable allow_user and arrange for the local www-data to have access to the files it needs. There are several ways to do that: through the uid option, or by passing -o default_permissions, or by passing -o umask 770,gid=www-data. If you enable allow_user, make sure that you don't end up allowing www-data to access more files than it should, and that you don't end up allowing other users to see or modify what they shouldn't. Running sshfs as www-data has the advantage of simplicity, you have a far better chance of not accidentally being too permissive.

For problem #1, you need to ssh into the www-data account on server1, or to allow the account that you use to access those files. There is some benefit in not allowing remote logins to system accounts such as www-data, because these make for poor auditing (you can't know who actually used the account). However, it's not out of the question, and it is somewhat easier to set up. If you don't want to allow remote logins to the www-data account, add salamis¹ to the www-data group, make sure that the filesystem on server1 is mounted with the acl option (add it to the relevant entry in /etc/fstab if necessary), and add an ACL to www-data's files:

setfacl -d -m group:www-data:rwx -R /path/to/www-root
setfacl -m group:www-data:rwx -R /path/to/www-root

¹ If that's your account on server1, I didn't understand from your question whether salamis was a user on server1, on server2 or both.