Disabling specific commands in sftp

[Nico Kadel-Garcia]

On Fri, Feb 10, 2017 at 3:20 AM, Alexandre MALDEME <A.MALDEME at olky.eu> wrote:
> Hi,
>
> On CentOS 7 I’m trying to set up a chrooted SFTP server on which specific users can only read and write on specific folder. And I’d like to disable some commands, so the users can only do ‘cd’, ‘ls’, ‘get’ and ‘put’ (and disabling ‘chgrp’, ‘chmod’, ‘chown’, ‘df’ etc …). Is there a way to achieve it, natively or with using a third-party software ?

There were some published OpenSSH chroot patches years ago, but
they've been repeatedly rejected for various security reasons. The
underlying reasoning seems to be that a chroot cage is not a
completely reliable security measure, since enough of the operating
system is necessarily exposed inside the chroot cage to create a risk
of possible exploitation and access to the hosting system. I've
personally disagreed with this approach for a long time, because the
lack of such tools leaves many casual adminstrators simply exposing
their systems with full shell access and much less limited otols..

There is an old add-on tool called "rssh" that pretty effectively
limits access to rsync, sftp, or scp on a selectable and configurable
basis for specific users. It does badly need an update to its chroot
cage building tool, which I've submitted as a patch and the maintainer
of rssh has elected not to manage or maintain that tool. Rssh is
available at http://www.pizzashack.org/rssh/.. My chroot cage building
tools to go with it are at
https://github.com/nkadel/rssh-chroot-tools.

Another fast and dirty tool is to use the "validate-rsync.sh" tool
locked to SSH key "command" settings, to fairly effectively allow only
rsync access.

Another approach is to give up on sftp, which does have some
longstanding limitations, and use more cage-manageable tools like
WebDAV over HTTPS, which is more easily published as a pure user-space
without any other chroot cage components in it and is Apache
supported, or even plain old FTPS, which also works well and is built
into vsftpd.


> Alexandre MALDEME
> Analyste d'exploitation
> [cid:image025b45.PNG at eb29890d.49b3fa4c]<http://>        +33 (0)9 74 74 88 05
> [www.olkypay.com]<http://www.olkypay.com>
> www.olkypay.com<http://www.olkypay.com>
>
>  [cid:image47a4b4.GIF at a587ac6d.4190a711]
>          Please consider the environment before printing this email message.
>
> Ce message ainsi que les eventuelles pieces jointes constituent une correspondance privee et confidentielle a l'attention exclusive du destinataire designe ci-dessus. Si vous n'etes pas le destinataire du present message ou une personne susceptible de pouvoir le lui delivrer, merci d'en avertir A.MALDEME at olky.eu<mailto:A.MALDEME at olky.eu>. Il vous est signifie que toute divulgation, distribution ou copie de cette transmission est strictement interdite. Si vous avez recu ce message par erreur, nous vous remercions d'en informer A.MALDEME at olky.eu<mailto:A.MALDEME at olky.eu> par telephone ou de lui retourner le present message, puis d'effacer immediatement ce message de votre systeme
>
> This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify A.MALDEME at olky.eu<mailto:A.MALDEME at olky.eu>. This message contains confidential information and is intended only for the individuals named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify A.MALDEME at olky.eu<mailto:A.MALDEME at olky.eu> immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev