[Bug 3451] New: Log which sftp command has been denied due to blacklist

[bugzilla-daemon at mindrot.org]

https://bugzilla.mindrot.org/show_bug.cgi?id=3451

            Bug ID: 3451
           Summary: Log which sftp command has been denied due to
                    blacklist
           Product: Portable OpenSSH
           Version: v9.0p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sftp-server
          Assignee: unassigned-bugs at mindrot.org
          Reporter: daku8938 at gmx.de

When restricting the allowed sftp-server commands with the
whitelist/blacklist options (-p / -P)

and the client requests a disallowed command, it is only logged "sent
status Permission denied":

internal-sftp[1234]: sent status Permission denied

For transparency (if multiple commands are not allowed, to be able to
distinguish), it would be better that the denied command would be
logged, too, e.g.

internal-sftp[1234]: sent status Permission denied (mkdir)

I think it would be sufficient to only log the command without any
parameters (like directory names), like above, to be clear that the
command in general is forbidden, regardless of it's parameters.

Here is my -p whitelist, which does not contain rmdir/mkdir and works
fine, aside of the non-saying log.

Subsystem sftp internal-sftp
ForceCommand internal-sftp -u 0002 -f LOCAL5 -l INFO -p
open,close,read,write,lstat,fstat,setstat,fsetstat,opendir,readdir,remove,realpath,stat,rename,readlink,symlink,posix-rename,statvfs,fstatvfs,hardlink,fsync

I could not see in the release notes

https://www.openssh.com/releasenotes.html

that this logging would have changed since the version I am currently
using, which is 7.6p1-4ubuntu0.5 on Ubuntu 18 Server.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.