Adding multiple SFTP users with read-only permissions in different folders.

Hi.
I hope this hasn’t been answered a bazillion times before, but I couldn’t find the answer when googling or browsing this forum. Maybe it’s so simple that it’s just presumed that everyone knows, idk.
Anyway.

I have set up a dietpi RPi, with Sonarr, Radarr, Mylarr, Deluge and nzbget and an external hdd, and it’s all working fabulously, I love it! It downloads everything I want directly to the folders I’ve set up.
However, I have multiple RPi’s set up around the house with Kodi, and I want them to be able to stream from the dietPi RPi through SFTP (it’s easier when I’m not at home, and I never got the hang of samba/vpn/proxy anyway).

So my question is this; is it possible to make another user, like username/pass “kids/movies”, with read only privileges, routing them directly into the folder I have set up for childrens’ movies? I don’t want them to unknowingly delete everything on the harddrive, so it has to be read-only.

I also use the hdd to share some other folders with friends and family, and I don’t want to give them root access with my main password. I would like to set up a guest account, or multiple, so I can direct each user to an individual folder without letting them browse my whole hdd.

Like,
kids/movies goes to “/downloads/complete/Kids_movies”
dan/dan goes to “/downloads/complete/Dans_shit”
series/series goes to “/downloads/complete/Series”
movies/movies goes to “/downloads/complete/Movies”

You get the gist.

I don’t want to change the permissions in my download folders, if that’s a thing, as I like to be able to edit them through Filezilla, deleting old movies/series. And also, NZBGet seems to have some issues with downloading to folders it doesn’t have root access to. I’m kind of a newb with linux/RPi, but I’m having a blast learning how to use it. I hope someone will take their time and read this, and possibly come up with an answer that might help me!

Thanks in advance!

  • donkeyhigh

Not sure if SFTP is the best solution for this. As/If it’s mainly about movies, I suggest using one of our media servers instead that offer a web interface and multi user setup. So you can stream the videos via browser or dedicated client for the particular media server.

AFAIK SFTP does not support streaming so every video would need to be downloaded first. But of course for other kind of file transfer it is a simple solution and compared to Samba/NFS allows file transfer over www and secure compared to FTP. Theoretically Samba/NFS via VPN would work as well, but I would not recommend, already because of the additional complexity and perhaps worse connection loss/delay handling.

Another alternative is a full file sharing solution like ownCloud or Nextcloud which provide comfortable multi user permissions and data handling and have included video players and a wide range of other extensions to handle all kind of data nicely.

However your particular SFTP idea would work as well:

  • Install OpenSSH as SSH server (via dietpi-software), as it has SFTP functionality included.
  • Create UNIX users as desired for each access group, e.g. useradd -M kids
  • Edit /etc/ssh/sshd_config
  • Change Subsystem sftp /usr/lib/openssh/sftp-server to Subsystem sftp internal-sftp
  • Add the following block for each user, setting ChrootDirectory to the desired folder where they should have access limited to:
Match User kids
        X11Forwarding no
        AllowTcpForwarding no
        ChrootDirectory /downloads/complete/Kids_movies
        ForceCommand internal-sftp
  • Test via SFTP client that you though about if indeed the users are locked into the desired chroot dir, just to be sure. Login via SSH should be not possible for those users as ForceCommand internal-sftp leads to immediate logout on e.g. PuTTY. So access is only possible then via SFTP client.

Wow, thank you so much for that very (!) informative and helpful reply. I will read it through more thoroughly later on and check out some of the solutions you mentioned.

Thanks a lot man!

I’ve given it some thought, and tried a few different options. I’m thinking about Plex, but not sure if the RPi can handle the Plex decoding used when streaming and while downloading from usenet/autoextracting or repairing rar-files, or seeding torrents.

It used to give me an error when I had Plex on my old laptop, telling the client (my smart tv) that the server (my laptop) couldn’t handle the decoding. But to be fair, it was a $h1tty laptop.
(I think Plex has some sort of internal decoding while streaming, it used to have at least)

Also, there is a plugin for Kodi 18.1> which enables support for SFTP and thereby also streaming in 1:1 bitrate.
Considering we use Kodi everywhere in this house, and it’s mainly localnet streaming with a cabled network with a decent router, SFTP seems to be working fine (just tested it out with a 27gb 2hrs movie, with no issues, and a 2.7gb 20 min episode without any stuttering, not even when jumping back and forth 10 minutes at a time).


Adding more users like you said also worked out great, thanks man!

The ONLY reason I would install Plex at this moment, is to ensure we could stream movies to our cabin, which doesn’t have very good bandwith. Other than that, I’m happy with the SFTP/Kodi solution.
I have a spare micro SD card, so I might just copy my current card over to that, and use the duplicate to test out some different options without being scared of screwing up my final set up as is, since I’m content with it.

Again, thanks for the very helpful reply!

Great, all you say sound very reasonable.

Jep RPi has full Kodi support and can manage streaming. I guess there are only limitations when running 4k (and above) content.
Good to know that Kodi has internal SFTP functionality, I wasn’t aware of this. How does it work? You log in with a certain user on the client and it shows you only content/directories that you define from within Kodi settings? Or do you have to establish the SFTP connection outside of the Kodi client UI?

In case of Plex, I think the decoding + hw acceleration should be generally the same. But of course if you use the web UI throughout www, bandwidth is a limitation (again in case of high quality content), especially since the usually lower upload bandwidth is relevant then. So yeah no harm in simply trying it out.

Ah, is there a different in bandwidth use if you stream via Plex web UI or via local Kodi client with internal SFTP connection?