[SFTP] Possibility for Adding "ForceFilePermission" option

House Lee hlee at vendasta.com
Tue Dec 19 03:46:53 AEDT 2017


Hi Jakub,

Sorry for the late reply. I was off from work for a few days. 

I’ve tried to add the noexec, nosuid and nodev mount options but it seems to have some difficulties to do so with kubernetes nfs-mount. I’ll keep trying to resolve it anyway.

The patch you pasted is exactly the thing I wanna have. I think it’s super useful and I definitely vote yes for merging it to master. I was actually planning to create a patch myself if not seeing your reply. Is it possible to raise a concern about this patch in the developer group?

Regarding the “a script that fixes file permissions upon upload”, this is also an interesting idea. But how do I add a hook that is listening to the upload events?

Thanks & Best Regards
House


> On Dec 18, 2017, at 06:03, Jakub Jelen <jjelen at redhat.com> wrote:
> 
> On Thu, 2017-12-14 at 10:26 -0600, House Lee wrote:
>> Hi,
>> 
>> I understand that if I specify `ForceCommand internal-sftp -u
>> <umask>`, the permission of any files uploaded via sftp will be
>> calculated by `<original permission> & ~umask`. However, this can be
>> bypassed by the `-P` option of `put` command. We are developing a
>> shared hosting platform, therefore we definitely don’t want our users
>> being able to upload any executable files. We can not disable the x
>> permission by umask because directories need the x permission. 
>> 
>> Is there any possible way to accomplish this? or is it possible to
>> add a `ForceFilePermission` and `ForceDirPermission` option in the
>> sshd_config ?
>> 
>> Thanks & Best Regards,
>> House
> 
> 
> Hello,
> during last month, there were already two emails in this mailing list
> discussing this issue:
> 
> https://lists.mindrot.org/pipermail/openssh-unix-dev/2017-
> November/036468.html
> 
> The patch exists here since 2010 and it is currently used in
> Fedora/RHEL to a great satisfaction, though it was never accepted by
> upstream nor there was any official statement if they will eventually
> accept this change or why not (and in which I would be greatly
> interested).
> 
> Best advise I have is to pull that patch from the linked thread above.
> Or have some script that is fixing the files permissions upon upload.
> 
> Regards,
> Jakub
> 
> -- 
> Jakub Jelen
> Software Engineer
> Security Technologies
> Red Hat, Inc.



More information about the openssh-unix-dev mailing list