On Thu, 2017-09-07 at 09:13 +1000, Damien Miller wrote: > On Wed, 6 Sep 2017, René Ribaud wrote: > > > Hello, > > > > Couple of days ago, I received a request from a customer. > > He wants to provide sftp users access to a directory tree > > containing files. > > The users must have full rights, but he also wants to avoid moving > > or > > deleting directories. This is mostly to prevent mistakenly drag and > > drop from user's graphical client (Filezilla). > > Said differently, he wants to protect the directories organization. > > > > First, I tried to find how to do that from system point of view. > > But it > > looks not easilly possible according to what customer wants to do. > > > > So as a proof of concept, I decided to do it from the application > > side, > > modifying the sftp server by answering ok and not doing the rmdir > > and > > rename commands (ugly patch below). > > It works as expected and seems to satisfy the customer. > > > > Do you think, it is something that could be implemented upstream ? > > I added this ability 4 years ago. See the -p/-P and -Q flags for > sftp-server. > > These are the requests that can be while/blacklisted: > > [djm@natsu]$ /usr/libexec/sftp-server -Q requests > open > close > read > write > lstat > fstat > setstat > fsetstat > opendir > readdir > remove > mkdir > rmdir > realpath > stat > rename > readlink > symlink > posix-rename > statvfs > fstatvfs > hardlink > fsync > > -d > Sorry, I completely missed these options mainly because it is not available with the CentOS 6 sftp-server. And I don't know why, I didn't checked the man pages of the latest release.... Anyway thank you really much Damien that's exactly what we need. Regards. René. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev