[Bug 3451] New: Log which sftp command has been denied due to blacklist
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Fri Jun 24 18:40:14 AEST 2022
https://bugzilla.mindrot.org/show_bug.cgi?id=3451
Bug ID: 3451
Summary: Log which sftp command has been denied due to
blacklist
Product: Portable OpenSSH
Version: v9.0p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sftp-server
Assignee: unassigned-bugs at mindrot.org
Reporter: daku8938 at gmx.de
When restricting the allowed sftp-server commands with the
whitelist/blacklist options (-p / -P)
and the client requests a disallowed command, it is only logged "sent
status Permission denied":
internal-sftp[1234]: sent status Permission denied
For transparency (if multiple commands are not allowed, to be able to
distinguish), it would be better that the denied command would be
logged, too, e.g.
internal-sftp[1234]: sent status Permission denied (mkdir)
I think it would be sufficient to only log the command without any
parameters (like directory names), like above, to be clear that the
command in general is forbidden, regardless of it's parameters.
Here is my -p whitelist, which does not contain rmdir/mkdir and works
fine, aside of the non-saying log.
Subsystem sftp internal-sftp
ForceCommand internal-sftp -u 0002 -f LOCAL5 -l INFO -p
open,close,read,write,lstat,fstat,setstat,fsetstat,opendir,readdir,remove,realpath,stat,rename,readlink,symlink,posix-rename,statvfs,fstatvfs,hardlink,fsync
I could not see in the release notes
https://www.openssh.com/releasenotes.html
that this logging would have changed since the version I am currently
using, which is 7.6p1-4ubuntu0.5 on Ubuntu 18 Server.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list