Restrict commands available in an SFTP session

[Jason Dickerson]

I see your point about file permissions being fairly effective; however, I
need to be able to keep users from changing file permissions with chown,
chmod, and chgrp.  I do not see how file permissions can accomplish this.

My goal is to allow certain SFTP users into shared folders whose access is
controlled by ACL's, in such a way they cannot give unauthorized users
access to the shared folder.  For instance...

I have a chroot jail at /mountpoint/sftp.  Within this there are home
directories for users at /mountpoint/sftp/home/user.  Also, there are shared
folders at /mountpoint/sftp/shared/folder1, /mountpoint/sftp/shared/folder2,
etc...  When user1 logs in, they are automatically put in
/mountpoint/sftp/home/user1.  By ACL, user1 has access to
/mountpoint/sftp/shared/folder1, but not .../folder2.  Also, user2 has ACL
access to /mountpoint/sftp/shared/folder2, but not .../folder1.  There is no
way to keep user1 from performing "chmod 777 /shared/folder1"; thus giving
user2 (or any other user) unauthorized access to /shared/folder1 within the
chroot jail.

I know to some this may seem paranoid or "hokey", but I really have a good
reason for this.

Any suggestions, would be welcome.

Jason



On Mon, Feb 9, 2009 at 8:13 PM, Damien Miller <djm at mindrot.org> wrote:

> On Mon, 9 Feb 2009, Jason Dickerson wrote:
>
> > I am currently running OpenSSH 4.3.  I would like to restrict the
> commands
> > SFTP users can run to a list.  For example, "put, get, mput, mget, mkdir,
> > rmdir, and rm".  Is this possible with OpenSSH?  I have seen many posts
> > concerning chroot'ing and the Forced Command option, but none of these
> > solution address restricting the commands actually available inside the
> SFTP
> > subsystem.  Any insight would be greatly appreciated.
>
> This isn't supported, or planned. You can perform fairly effective
> restriction with file/directory permissions alone.
>
> -d
>