On Wed, 6 Sep 2017, René Ribaud wrote: > Hello, > > Couple of days ago, I received a request from a customer. > He wants to provide sftp users access to a directory tree containing files. > The users must have full rights, but he also wants to avoid moving or > deleting directories. This is mostly to prevent mistakenly drag and > drop from user's graphical client (Filezilla). > Said differently, he wants to protect the directories organization. > > First, I tried to find how to do that from system point of view. But it > looks not easilly possible according to what customer wants to do. > > So as a proof of concept, I decided to do it from the application side, > modifying the sftp server by answering ok and not doing the rmdir and > rename commands (ugly patch below). > It works as expected and seems to satisfy the customer. > > Do you think, it is something that could be implemented upstream ? I added this ability 4 years ago. See the -p/-P and -Q flags for sftp-server. These are the requests that can be while/blacklisted: [djm@natsu]$ /usr/libexec/sftp-server -Q requests open close read write lstat fstat setstat fsetstat opendir readdir remove mkdir rmdir realpath stat rename readlink symlink posix-rename statvfs fstatvfs hardlink fsync -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev