mloftis at wgops
Feb 9, 2009, 7:56 PM
Post #4 of 10
make the directory owned by a different user, group read and execute, other
Re: Restrict commands available in an SFTP session
[In reply to]
none, and put the users you want to have access into the group.
--On February 9, 2009 9:51:20 PM -0600 Jason Dickerson
<jason.dickerson [at] gmail> wrote:
> I see your point about file permissions being fairly effective; however, I
> need to be able to keep users from changing file permissions with chown,
> chmod, and chgrp. I do not see how file permissions can accomplish this.
> My goal is to allow certain SFTP users into shared folders whose access is
> controlled by ACL's, in such a way they cannot give unauthorized users
> access to the shared folder. For instance...
> I have a chroot jail at /mountpoint/sftp. Within this there are home
> directories for users at /mountpoint/sftp/home/user. Also, there are
> shared folders at /mountpoint/sftp/shared/folder1,
> /mountpoint/sftp/shared/folder2, etc... When user1 logs in, they are
> automatically put in
> /mountpoint/sftp/home/user1. By ACL, user1 has access to
> /mountpoint/sftp/shared/folder1, but not .../folder2. Also, user2 has ACL
> access to /mountpoint/sftp/shared/folder2, but not .../folder1. There is
> no way to keep user1 from performing "chmod 777 /shared/folder1"; thus
> giving user2 (or any other user) unauthorized access to /shared/folder1
> within the chroot jail.
> I know to some this may seem paranoid or "hokey", but I really have a good
> reason for this.
> Any suggestions, would be welcome.
> On Mon, Feb 9, 2009 at 8:13 PM, Damien Miller <djm [at] mindrot> wrote:
>> On Mon, 9 Feb 2009, Jason Dickerson wrote:
>> > I am currently running OpenSSH 4.3. I would like to restrict the
>> > SFTP users can run to a list. For example, "put, get, mput, mget,
>> > mkdir, rmdir, and rm". Is this possible with OpenSSH? I have seen
>> > many posts concerning chroot'ing and the Forced Command option, but
>> > none of these solution address restricting the commands actually
>> > available inside the
>> > subsystem. Any insight would be greatly appreciated.
>> This isn't supported, or planned. You can perform fairly effective
>> restriction with file/directory permissions alone.
> openssh-unix-dev mailing list
> openssh-unix-dev [at] mindrot
"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot