sftp-server and chown

Markus Friedl Markus.Friedl at informatik.uni-erlangen.de
Thu Feb 22 02:48:03 EST 2001


On Wed, Feb 21, 2001 at 04:39:58PM +0100, Andy Polyakov wrote:
> > If the sftp-client sends a request for CHOWN, why should I
> > ignore it?
> 
> Because chown doesn't belong in file transer protocol and sftp should
> not be an exclusion. As I said, numerical ids are very likely different
> and chown is simply meaningless. Yes, they've specified it in protocol.
> So what? They wanted to have the option opened, but it doesn't
> autiomatically qualify it for implementation.

i still don't see why i should CHOWN request, just because you don't
like the idea of 'chown'?

> > sftp-server is running with the uid/privileges of the user, so why
> > care?
> 
> As I already said, some systems *permit* chown to another uid even for
> non-priviledged users (and most systems can be configured by changing a
> kernel parameter to permit this operation and some do configure it so)
> and this is one-way operation, i.e. once I did 'chown markus file' I
> can't chown it back to myself.

well, so why should i ignore chown if it's legal on some
systems?

> > > In addition
> > > I think it's also irresponsible to blindly chmod files as different
> > > systems might have different access policies (e.g. different umasks).
> > > Therefore following patch (relative to OpenSSH 2.5.1p1) is suggested.
> > 
> > The sftp-server runs under the uid of the user, and the enviroment is
> > setup by executing the login shell, so umask is set.
> 
> But umask doesn't prevent you from explicit chmod, does it?

no, but if a client want to do chmod() why should i deny
the request? it's 'his' file.

> And that's
> what happens, client asks for explicit chmod and umask is ineffective
> then. Also note that explicit chmod can break file access/creation
> policy controlled by ACLs... To tell you the truth I don't believe
> absolute chmod belongs in file transfer protocol either. One should
> probably limit it to incremental +x only (i.e. if you ask me:-).

i think you should post you concerns about chown and chmod to the
ietf-ssh at clinet.fi list.

-m





More information about the openssh-unix-dev mailing list