Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: OpenSSH: Dev

Restrict commands available in an SFTP session

  

 
OpenSSH dev RSS feed   Index | Next | Previous | View Threaded


jason.dickerson at gmail

Feb 9, 2009, 4:24 PM

Post #1 of 10 (2422 views)
Permalink
Restrict commands available in an SFTP session
I am currently running OpenSSH 4.3. I would like to restrict the commands
SFTP users can run to a list. For example, "put, get, mput, mget, mkdir,
rmdir, and rm". Is this possible with OpenSSH? I have seen many posts
concerning chroot'ing and the Forced Command option, but none of these
solution address restricting the commands actually available inside the SFTP
subsystem. Any insight would be greatly appreciated.

Thanks,

Jason Dickerson
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


djm at mindrot

Feb 9, 2009, 6:13 PM

Post #2 of 10 (2350 views)
Permalink
Re: Restrict commands available in an SFTP session [In reply to]
On Mon, 9 Feb 2009, Jason Dickerson wrote:

> I am currently running OpenSSH 4.3. I would like to restrict the commands
> SFTP users can run to a list. For example, "put, get, mput, mget, mkdir,
> rmdir, and rm". Is this possible with OpenSSH? I have seen many posts
> concerning chroot'ing and the Forced Command option, but none of these
> solution address restricting the commands actually available inside the SFTP
> subsystem. Any insight would be greatly appreciated.

This isn't supported, or planned. You can perform fairly effective
restriction with file/directory permissions alone.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


jason.dickerson at gmail

Feb 9, 2009, 7:51 PM

Post #3 of 10 (2351 views)
Permalink
Re: Restrict commands available in an SFTP session [In reply to]
I see your point about file permissions being fairly effective; however, I
need to be able to keep users from changing file permissions with chown,
chmod, and chgrp. I do not see how file permissions can accomplish this.

My goal is to allow certain SFTP users into shared folders whose access is
controlled by ACL's, in such a way they cannot give unauthorized users
access to the shared folder. For instance...

I have a chroot jail at /mountpoint/sftp. Within this there are home
directories for users at /mountpoint/sftp/home/user. Also, there are shared
folders at /mountpoint/sftp/shared/folder1, /mountpoint/sftp/shared/folder2,
etc... When user1 logs in, they are automatically put in
/mountpoint/sftp/home/user1. By ACL, user1 has access to
/mountpoint/sftp/shared/folder1, but not .../folder2. Also, user2 has ACL
access to /mountpoint/sftp/shared/folder2, but not .../folder1. There is no
way to keep user1 from performing "chmod 777 /shared/folder1"; thus giving
user2 (or any other user) unauthorized access to /shared/folder1 within the
chroot jail.

I know to some this may seem paranoid or "hokey", but I really have a good
reason for this.

Any suggestions, would be welcome.

Jason



On Mon, Feb 9, 2009 at 8:13 PM, Damien Miller <djm [at] mindrot> wrote:

> On Mon, 9 Feb 2009, Jason Dickerson wrote:
>
> > I am currently running OpenSSH 4.3. I would like to restrict the
> commands
> > SFTP users can run to a list. For example, "put, get, mput, mget, mkdir,
> > rmdir, and rm". Is this possible with OpenSSH? I have seen many posts
> > concerning chroot'ing and the Forced Command option, but none of these
> > solution address restricting the commands actually available inside the
> SFTP
> > subsystem. Any insight would be greatly appreciated.
>
> This isn't supported, or planned. You can perform fairly effective
> restriction with file/directory permissions alone.
>
> -d
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


mloftis at wgops

Feb 9, 2009, 7:56 PM

Post #4 of 10 (2350 views)
Permalink
Re: Restrict commands available in an SFTP session [In reply to]
make the directory owned by a different user, group read and execute, other
none, and put the users you want to have access into the group.

--On February 9, 2009 9:51:20 PM -0600 Jason Dickerson
<jason.dickerson [at] gmail> wrote:

> I see your point about file permissions being fairly effective; however, I
> need to be able to keep users from changing file permissions with chown,
> chmod, and chgrp. I do not see how file permissions can accomplish this.
>
> My goal is to allow certain SFTP users into shared folders whose access is
> controlled by ACL's, in such a way they cannot give unauthorized users
> access to the shared folder. For instance...
>
> I have a chroot jail at /mountpoint/sftp. Within this there are home
> directories for users at /mountpoint/sftp/home/user. Also, there are
> shared folders at /mountpoint/sftp/shared/folder1,
> /mountpoint/sftp/shared/folder2, etc... When user1 logs in, they are
> automatically put in
> /mountpoint/sftp/home/user1. By ACL, user1 has access to
> /mountpoint/sftp/shared/folder1, but not .../folder2. Also, user2 has ACL
> access to /mountpoint/sftp/shared/folder2, but not .../folder1. There is
> no way to keep user1 from performing "chmod 777 /shared/folder1"; thus
> giving user2 (or any other user) unauthorized access to /shared/folder1
> within the chroot jail.
>
> I know to some this may seem paranoid or "hokey", but I really have a good
> reason for this.
>
> Any suggestions, would be welcome.
>
> Jason
>
>
>
> On Mon, Feb 9, 2009 at 8:13 PM, Damien Miller <djm [at] mindrot> wrote:
>
>> On Mon, 9 Feb 2009, Jason Dickerson wrote:
>>
>> > I am currently running OpenSSH 4.3. I would like to restrict the
>> commands
>> > SFTP users can run to a list. For example, "put, get, mput, mget,
>> > mkdir, rmdir, and rm". Is this possible with OpenSSH? I have seen
>> > many posts concerning chroot'ing and the Forced Command option, but
>> > none of these solution address restricting the commands actually
>> > available inside the
>> SFTP
>> > subsystem. Any insight would be greatly appreciated.
>>
>> This isn't supported, or planned. You can perform fairly effective
>> restriction with file/directory permissions alone.
>>
>> -d
>>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev [at] mindrot
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



--
"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


peter at stuge

Feb 9, 2009, 10:47 PM

Post #5 of 10 (2350 views)
Permalink
Re: Restrict commands available in an SFTP session [In reply to]
Michael Loftis wrote:
> > There is no way to keep user1 from performing
> > "chmod 777 /shared/folder1"; thus giving user2 (or any other
> > user) unauthorized access to /shared/folder1 within the chroot
> > jail.
>
> make the directory owned by a different user, group read and
> execute, other none, and put the users you want to have access into
> the group.

To clarify, this applies to /mountpoint/sftp/shared in your case.

If your users do not have write permission in /shared they can not
change permissions for the subdirectories.

That said, I sometimes also want a little more out of sftp-server
than it can do at present. Has there been any discussion upstream
about a configuration file for sftp-server? For starters I would like
to set umask and have a way to artificially restrict and/or enforce
permissions and ownership on a per-directory basis. I can hack but it
will likely take forever until anything is finished.


//Peter
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


sfandino at yahoo

Feb 10, 2009, 9:11 AM

Post #6 of 10 (2338 views)
Permalink
Re: Restrict commands available in an SFTP session [In reply to]
Jason Dickerson wrote:
> I am currently running OpenSSH 4.3. I would like to restrict the commands
> SFTP users can run to a list. For example, "put, get, mput, mget, mkdir,
> rmdir, and rm". Is this possible with OpenSSH? I have seen many posts
> concerning chroot'ing and the Forced Command option, but none of these
> solution address restricting the commands actually available inside the SFTP
> subsystem. Any insight would be greatly appreciated.
>
> Thanks,
>
> Jason Dickerson

The sftp-server application source code is quite simple.

It will require a minimal C knowledge to replace the unwanted command
handlers with versions that return SSH_FXP_STATUS messages with a
SSH_FX_FAILURE code.

Modify the source, compile it and install the new application on your
server (as /usr/lib/my-sftp-server, for instance) and change the sshd
sftp sub-system configuration to use it for all or some users.

Cheers,

- Salva

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


peter at stuge

Feb 9, 2012, 5:35 AM

Post #7 of 10 (792 views)
Permalink
Re: Restrict commands available in an SFTP session [In reply to]
Hi Sonja,

Sonja Meyer wrote:
> i am using SFTP with CHROOT. I want to allow my users that they can
> upload and download with the sftp server, but they should never do
> an MKDIR!
> Is it possible to restrict commands and how can i do this?

sftp-server has no provisions for this.


> i only found material of modifing the source...and that is not the
> best way for me.

Maybe you can work with filesystem permissions and ACLs.


//Peter
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


jdmossh at nand

Feb 12, 2012, 11:48 AM

Post #8 of 10 (787 views)
Permalink
Re: Restrict commands available in an SFTP session [In reply to]
Hello,

I had a similar need, so I've maintained a patch to do just that, with a
new sshd_config option that can be global or in a Match block.

Could my patch possibly be merged? I'd be grateful for feedback either way.

https://bugzilla.mindrot.org/show_bug.cgi?id=1979

Many thanks,
Jeremy Monin
Sysadmin and open-source developer

On Thu, 9 Feb 2012, Peter Stuge wrote:

> Date: Thu, 9 Feb 2012 14:35:53 +0100
> From: Peter Stuge <peter [at] stuge>
> To: openssh-unix-dev [at] mindrot
> Subject: Re: Restrict commands available in an SFTP session
>
> Hi Sonja,
>
> Sonja Meyer wrote:
>> i am using SFTP with CHROOT. I want to allow my users that they can
>> upload and download with the sftp server, but they should never do an
>> MKDIR! Is it possible to restrict commands and how can i do this?
>
> sftp-server has no provisions for this.
>
>
>> i only found material of modifing the source...and that is not the
>> best way for me.
>
> Maybe you can work with filesystem permissions and ACLs.
>
>
> //Peter
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev [at] mindrot
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


peter at stuge

Feb 12, 2012, 12:19 PM

Post #9 of 10 (786 views)
Permalink
Re: Restrict commands available in an SFTP session [In reply to]
Jeremy Monin wrote:
> I had a similar need, so I've maintained a patch to do just that, with a
> new sshd_config option that can be global or in a Match block.
>
> Could my patch possibly be merged? I'd be grateful for feedback
> either way.

I for one like the code but the name really sucks. Long and awkward. :)


//Peter
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


jdmossh at nand

Feb 12, 2012, 1:54 PM

Post #10 of 10 (783 views)
Permalink
Re: Restrict commands available in an SFTP session [In reply to]
On Sun, 12 Feb 2012, Peter Stuge wrote:
> I for one like the code but the name really sucks. Long and awkward. :)

Thank you. It's definitely a klunky name. Maybe something like
SFtpBasicsOnly ? The name isn't important of course, just the
functionality.

-Jeremy

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

OpenSSH dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.