[SFTP] Possibility for Adding "ForceFilePermission" option

Jakub Jelen jjelen at redhat.com
Tue Dec 19 03:34:36 AEDT 2017


On Tue, 2017-12-19 at 02:03 +1030, David Newall wrote:
> On 18/12/17 22:33, Jakub Jelen wrote:
> > during last month, there were already two emails in this mailing
> > list
> > discussing [forced permissions]:
> > 
> > https://lists.mindrot.org/pipermail/openssh-unix-dev/2017-
> > November/036468.html
> 
> This seems like a reasonable and useful feature.  It's simple to 
> implement, and, (apparently) there's already a patch to do it.
> 
> I can think of one reason why further thought is required.  It could
> be 
> argued that this needs to be determined per-user.  That is, should
> there 
> be some way to specify a group of users for whom permissions are not 
> forced; or, in the alternative, a group of users for whom
> permissions 
> must be forced.

The ForceCommand can accept argument with sftp-server/internal-sftp, it
can already appear in the Match blocks and therefore you can very
simply adjust the SFTP-only access for separate groups/users with this
simple patch.

What is missing is a force mode for directories, but I would consider
this as a minor issue, if it would be ever needed in real-world use
cases.

Regards,
Jakub



More information about the openssh-unix-dev mailing list