Restrict commands available in an SFTP session

Michael Loftis mloftis at wgops.com
Tue Feb 10 14:56:31 EST 2009


make the directory owned by a different user, group read and execute, other 
none, and put the users you want to have access into the group.

--On February 9, 2009 9:51:20 PM -0600 Jason Dickerson 
<jason.dickerson at gmail.com> wrote:

> I see your point about file permissions being fairly effective; however, I
> need to be able to keep users from changing file permissions with chown,
> chmod, and chgrp.  I do not see how file permissions can accomplish this.
>
> My goal is to allow certain SFTP users into shared folders whose access is
> controlled by ACL's, in such a way they cannot give unauthorized users
> access to the shared folder.  For instance...
>
> I have a chroot jail at /mountpoint/sftp.  Within this there are home
> directories for users at /mountpoint/sftp/home/user.  Also, there are
> shared folders at /mountpoint/sftp/shared/folder1,
> /mountpoint/sftp/shared/folder2, etc...  When user1 logs in, they are
> automatically put in
> /mountpoint/sftp/home/user1.  By ACL, user1 has access to
> /mountpoint/sftp/shared/folder1, but not .../folder2.  Also, user2 has ACL
> access to /mountpoint/sftp/shared/folder2, but not .../folder1.  There is
> no way to keep user1 from performing "chmod 777 /shared/folder1"; thus
> giving user2 (or any other user) unauthorized access to /shared/folder1
> within the chroot jail.
>
> I know to some this may seem paranoid or "hokey", but I really have a good
> reason for this.
>
> Any suggestions, would be welcome.
>
> Jason
>
>
>
> On Mon, Feb 9, 2009 at 8:13 PM, Damien Miller <djm at mindrot.org> wrote:
>
>> On Mon, 9 Feb 2009, Jason Dickerson wrote:
>>
>> > I am currently running OpenSSH 4.3.  I would like to restrict the
>> commands
>> > SFTP users can run to a list.  For example, "put, get, mput, mget,
>> > mkdir, rmdir, and rm".  Is this possible with OpenSSH?  I have seen
>> > many posts concerning chroot'ing and the Forced Command option, but
>> > none of these solution address restricting the commands actually
>> > available inside the
>> SFTP
>> > subsystem.  Any insight would be greatly appreciated.
>>
>> This isn't supported, or planned. You can perform fairly effective
>> restriction with file/directory permissions alone.
>>
>> -d
>>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



-- 
"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler


More information about the openssh-unix-dev mailing list