Restrict commands available in an SFTP session
Peter Stuge
peter at stuge.se
Tue Feb 10 17:47:27 EST 2009
Michael Loftis wrote:
> > There is no way to keep user1 from performing
> > "chmod 777 /shared/folder1"; thus giving user2 (or any other
> > user) unauthorized access to /shared/folder1 within the chroot
> > jail.
>
> make the directory owned by a different user, group read and
> execute, other none, and put the users you want to have access into
> the group.
To clarify, this applies to /mountpoint/sftp/shared in your case.
If your users do not have write permission in /shared they can not
change permissions for the subdirectories.
That said, I sometimes also want a little more out of sftp-server
than it can do at present. Has there been any discussion upstream
about a configuration file for sftp-server? For starters I would like
to set umask and have a way to artificially restrict and/or enforce
permissions and ownership on a per-directory basis. I can hack but it
will likely take forever until anything is finished.
//Peter
More information about the openssh-unix-dev
mailing list