Hello, Couple of days ago, I received a request from a customer. He wants to provide sftp users access to a directory tree containing files. The users must have full rights, but he also wants to avoid moving or deleting directories. This is mostly to prevent mistakenly drag and drop from user's graphical client (Filezilla). Said differently, he wants to protect the directories organization. First, I tried to find how to do that from system point of view. But it looks not easilly possible according to what customer wants to do. So as a proof of concept, I decided to do it from the application side, modifying the sftp server by answering ok and not doing the rmdir and rename commands (ugly patch below). It works as expected and seems to satisfy the customer. Do you think, it is something that could be implemented upstream ? Of course, I think about a proper patch that as an example will allow to disable specific sftp commands on some users. If yes, I could probably write one but I will need some guidance to do it and design it properly. Regards. René. Patch below : Note : This patch was written to be used on Centos6.9 which is using an old openssh version. diff openssh-5.3p1/sftp-server.c openssh-5.3p1.patched/sftp-server.c 949a950 993,994c1001,1004 < ret = rmdir(name); < status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; --- > /*ret = rmdir(name); > status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; > */ > status = SSH2_FX_OK; 1040a1051,1053 > else if (S_ISDIR(sb.st_mode)) { > status = SSH2_FX_OK; > } _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev