Disallow some sftp commands

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hello,

Couple of days ago, I received a request from a customer.
He wants to provide sftp users access to a directory tree containing files.
The users must have full rights, but he also wants to avoid moving or
deleting directories. This is mostly to prevent mistakenly drag and
drop from user's graphical client (Filezilla).
Said differently, he wants to protect the directories organization.

First, I tried to find how to do that from system point of view. But it
looks not easilly possible according to what customer wants to do.

So as a proof of concept, I decided to do it from the application side,
modifying the sftp server by answering ok and not doing the rmdir and
rename commands (ugly patch below).
It works as expected and seems to satisfy the customer.

Do you think, it is something that could be implemented upstream ?
Of course, I think about a proper patch that as an example will allow
to disable specific sftp commands on some users.
If yes, I could probably write one but I will need some guidance to do
it and design it properly.

Regards.
René.

Patch below :
Note : This patch was written to be used on Centos6.9 which is using an
old openssh version.

diff openssh-5.3p1/sftp-server.c openssh-5.3p1.patched/sftp-server.c
949a950

993,994c1001,1004
< 	ret = rmdir(name);
< 	status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
---
> 	/*ret = rmdir(name);
> 	  status = (ret == -1) ? errno_to_portable(errno) :
SSH2_FX_OK;
>         */
> 	status = SSH2_FX_OK;
1040a1051,1053
> 	else if (S_ISDIR(sb.st_mode)) {
> 		status = SSH2_FX_OK;
> 	}
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux