Re: Disallow some sftp commands

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Thu, 2017-09-07 at 09:13 +1000, Damien Miller wrote:
> On Wed, 6 Sep 2017, René Ribaud wrote:
> 
> > Hello,
> > 
> > Couple of days ago, I received a request from a customer.
> > He wants to provide sftp users access to a directory tree
> > containing files.
> > The users must have full rights, but he also wants to avoid moving
> > or
> > deleting directories. This is mostly to prevent mistakenly drag and
> > drop from user's graphical client (Filezilla).
> > Said differently, he wants to protect the directories organization.
> > 
> > First, I tried to find how to do that from system point of view.
> > But it
> > looks not easilly possible according to what customer wants to do.
> > 
> > So as a proof of concept, I decided to do it from the application
> > side,
> > modifying the sftp server by answering ok and not doing the rmdir
> > and
> > rename commands (ugly patch below).
> > It works as expected and seems to satisfy the customer.
> > 
> > Do you think, it is something that could be implemented upstream ?
> 
> I added this ability 4 years ago. See the -p/-P and -Q flags for
> sftp-server.
> 
> These are the requests that can be while/blacklisted:
> 
> [djm@natsu]$ /usr/libexec/sftp-server -Q requests 
> open
> close
> read
> write
> lstat
> fstat
> setstat
> fsetstat
> opendir
> readdir
> remove
> mkdir
> rmdir
> realpath
> stat
> rename
> readlink
> symlink
> posix-rename
> statvfs
> fstatvfs
> hardlink
> fsync
> 
> -d
> 

Sorry, I completely missed these options mainly because it is not
available with the CentOS 6 sftp-server. And I don't know why, I didn't
checked the man pages of the latest release....

Anyway thank you really much Damien that's exactly what we need.

Regards.
René.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux