[SFTP] Possibility for Adding "ForceFilePermission" option
House Lee
hlee at vendasta.com
Tue Dec 19 03:46:53 AEDT 2017
Hi Jakub,
Sorry for the late reply. I was off from work for a few days.
I’ve tried to add the noexec, nosuid and nodev mount options but it seems to have some difficulties to do so with kubernetes nfs-mount. I’ll keep trying to resolve it anyway.
The patch you pasted is exactly the thing I wanna have. I think it’s super useful and I definitely vote yes for merging it to master. I was actually planning to create a patch myself if not seeing your reply. Is it possible to raise a concern about this patch in the developer group?
Regarding the “a script that fixes file permissions upon upload”, this is also an interesting idea. But how do I add a hook that is listening to the upload events?
Thanks & Best Regards
House
> On Dec 18, 2017, at 06:03, Jakub Jelen <jjelen at redhat.com> wrote:
>
> On Thu, 2017-12-14 at 10:26 -0600, House Lee wrote:
>> Hi,
>>
>> I understand that if I specify `ForceCommand internal-sftp -u
>> <umask>`, the permission of any files uploaded via sftp will be
>> calculated by `<original permission> & ~umask`. However, this can be
>> bypassed by the `-P` option of `put` command. We are developing a
>> shared hosting platform, therefore we definitely don’t want our users
>> being able to upload any executable files. We can not disable the x
>> permission by umask because directories need the x permission.
>>
>> Is there any possible way to accomplish this? or is it possible to
>> add a `ForceFilePermission` and `ForceDirPermission` option in the
>> sshd_config ?
>>
>> Thanks & Best Regards,
>> House
>
>
> Hello,
> during last month, there were already two emails in this mailing list
> discussing this issue:
>
> https://lists.mindrot.org/pipermail/openssh-unix-dev/2017-
> November/036468.html
>
> The patch exists here since 2010 and it is currently used in
> Fedora/RHEL to a great satisfaction, though it was never accepted by
> upstream nor there was any official statement if they will eventually
> accept this change or why not (and in which I would be greatly
> interested).
>
> Best advise I have is to pull that patch from the linked thread above.
> Or have some script that is fixing the files permissions upon upload.
>
> Regards,
> Jakub
>
> --
> Jakub Jelen
> Software Engineer
> Security Technologies
> Red Hat, Inc.
More information about the openssh-unix-dev
mailing list