Browsing user home directories on remote server

[morphy_richards]

I've got students work saved in their home directories on a server called athena.

I thought I would be able to use sshfs to mount athena:/home to a dir called athena on my desktop machine, like this.

sshfs athena_admin@athena.computing.lan:/home ./athena


That much works ...

Code: Select all

giotto-admin@giotto:~/athena$ ls
abbiee2011                  catias2013                  florina-arianac2011  lauras2011          nathanaelm2011       sanam2011
abdullahih2012              chakellc2013 ... etc.  

However,

Code: Select all

giotto-admin@giotto:~/athena/dannyh2013$ ls abbiee2011
ls: cannot access abbiee2011: Permission denied

I know I could have ssh'd directly into athena as root user and then view the files in terminal but I really need to be able to browse files and directories with a graphical file manager with the ability to view open office files, programs etc.

Any suggestions?

Thanks in advance.

[RaTTuS]

setup a group on the server that all the students belong to .... i.e. backup
then allow your account to read backup

[morphy_richards]

Thanks.. But.. Which account?

I made a secondary group called 'students'.
All students and the 'root' user called "athena_admin" have been added to this group.

On athena, user accounts are stored in /home

I am logged into another machine called giotto with the user giotto_admin. But still this happens:

Code: Select all

giotto-admin@giotto:~$ sshfs athena_admin@192.168.0.4:/home ./athena
athena_admin@192.168.0.4's password: 
giotto-admin@giotto:~$ cd athena
giotto-admin@giotto:~/athena$ ls abbiee2011
ls: reading directory abbiee2011: Permission denied
giotto-admin@giotto:~/athena$ 

[ripat]

Try this:

Code: Select all

$ sshfs -o idmap=user athena_admin@athena.computing.lan:/home ./athena

[morphy_richards]

Thanks but just getting read: Connection reset by peer

[morphy_richards]

Ah...
DNS issue
but

Code: Select all

giotto-admin@giotto:~$ sshfs -o idmap=user -o sshfs_debug athena_admin@192.168.0.4:/home ./athena
SSHFS version 2.3
athena_admin@192.168.0.4's password: 
Server version: 3
Extension: posix-rename@openssh.com <1>
Extension: statvfs@openssh.com <2>
Extension: fstatvfs@openssh.com <2>
Extension: hardlink@openssh.com <1>
giotto-admin@giotto:~/athena$ ls abbiee2011
ls: reading directory abbiee2011: Permission denied
giotto-admin@giotto:~/athena$ 

[jojopi]

giotto-admin@giotto:~/athena/dannyh2013$ ls abbiee2011
ls: cannot access abbiee2011: Permission denied

This is actually quite a tricky problem. The individual students own those directories and files, so they are responsible for the final permissions. You could tell them to make sure you have access, but they could still get that wrong.

Also, in the simplistic UNIX permissions model, it is difficult for students to give you access without also giving each other access to their work, which might not be desirable.

(You could give each student a group, such that only you are a member of all the groups. Or you could ask them to make the files world-readable but notch out the students group leaving permissions of 0604 = rw----r--. Or you could use file ACLs, or some kind of mandatory access control. But these are all advanced and unusual configurations, and further increase the chance of user error.)

I think you should accept that you probably need to be root. You can either use root to read the files, or you can use it to forcibly change all the permissions, most likely recursively. I think the first option may be safer, unless you are already familiar with setfacl(1).

Note that sshfs will not allow access outside the starting directory. So allowing root access to /home is a lot better than allowing root access to /. If at all possible, make the mount read-only on the client, so that the GUI tools you are using cannot write:

Code: Select all

sshfs -o ro root@192.168.0.4:/home ./athena

(If athena is running Linux, then it is also possible to allow a user such athena_admin read only access to all files, via capability CAP_DAC_READ_SEARCH. Again, that is an advanced topic.)

[morphy_richards]

Note that sshfs will not allow access outside the starting directory. So allowing root access to /home is a lot better than allowing root access to /. If at all possible, make the mount read-only on the client, so that the GUI tools you are using cannot write:

Code: Select all

sshfs -o ro root@192.168.0.4:/home ./athena

(If athena is running Linux, then it is also possible to allow a user such athena_admin read only access to all files, via capability CAP_DAC_READ_SEARCH. Again, that is an advanced topic.)

Thanks for this.
Athena, containing the user home directories is a variant of Ubuntu, As far as I know Ubuntu just has a user in the sudoers group but no actual "roor". Is there any way you know of logging in as root like this?

At the moment I am marking work by having logged through ssh.

I have then done sudo -i on myself and am reading through their work using joe.

[morphy_richards]

Tahnks Jojopi I enabled root: http://askubuntu.com/questions/44418/ho ... root-login

Now, look what I can do with
sshfs root@192.168.0.4:/home ./athena