Re: Disallow some sftp commands

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Wed, 6 Sep 2017, René Ribaud wrote:

> Hello,
> 
> Couple of days ago, I received a request from a customer.
> He wants to provide sftp users access to a directory tree containing files.
> The users must have full rights, but he also wants to avoid moving or
> deleting directories. This is mostly to prevent mistakenly drag and
> drop from user's graphical client (Filezilla).
> Said differently, he wants to protect the directories organization.
> 
> First, I tried to find how to do that from system point of view. But it
> looks not easilly possible according to what customer wants to do.
> 
> So as a proof of concept, I decided to do it from the application side,
> modifying the sftp server by answering ok and not doing the rmdir and
> rename commands (ugly patch below).
> It works as expected and seems to satisfy the customer.
> 
> Do you think, it is something that could be implemented upstream ?

I added this ability 4 years ago. See the -p/-P and -Q flags for
sftp-server.

These are the requests that can be while/blacklisted:

[djm@natsu]$ /usr/libexec/sftp-server -Q requests 
open
close
read
write
lstat
fstat
setstat
fsetstat
opendir
readdir
remove
mkdir
rmdir
realpath
stat
rename
readlink
symlink
posix-rename
statvfs
fstatvfs
hardlink
fsync

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux