Re: Disabling specific commands in sftp

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Sun, Feb 12, 2017 at 5:12 AM, Nico Kadel-Garcia <nkadel@xxxxxxxxx> wrote:
> On Fri, Feb 10, 2017 at 3:20 AM, Alexandre MALDEME <A.MALDEME@xxxxxxx> wrote:
>> Hi,
>>
>> On CentOS 7 I’m trying to set up a chrooted SFTP server on which specific users can only read and write on specific folder. And I’d like to disable some commands, so the users can only do ‘cd’, ‘ls’, ‘get’ and ‘put’ (and disabling ‘chgrp’, ‘chmod’, ‘chown’, ‘df’ etc …). Is there a way to achieve it, natively or with using a third-party software ?
>
> There were some published OpenSSH chroot patches years ago, but
> they've been repeatedly rejected for various security reasons.

Err, sshd has ChrootDirectory which was added in the version 4.8
(released in 2008):
https://www.openssh.com/releasenotes.html#4.8

sftp-server has flags -P and -p which blacklist and whitelist requests
respectively which were added in 6.5:
https://www.openssh.com/releasenotes.html#6.5.

ChrootDirectory can be used inside a Match User block, but right now
Subsystem can't.  If Alexandre can get away with setting -P or -p
globally for sftp-internal for all users then it should be possible,
and Subsystem could be made to work inside a Match block with a bit of
work.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux