Disabling specific commands in sftp

Jonathan Pauli jonathan at pauliwerks.com
Sun Feb 12 06:40:28 AEDT 2017 

I think for this I might try running sftp in a container instead of chroot.

I might then add some feature flags around the commands I don't like and compile a custom version of it. Of course, auditors hate me, but so it goes. 



> On Feb 11, 2017, at 10:12 AM, Nico Kadel-Garcia <nkadel at gmail.com> wrote:
> 
>> On Fri, Feb 10, 2017 at 3:20 AM, Alexandre MALDEME <A.MALDEME at olky.eu> wrote:
>> Hi,
>> 
>> On CentOS 7 I’m trying to set up a chrooted SFTP server on which specific users can only read and write on specific folder. And I’d like to disable some commands, so the users can only do ‘cd’, ‘ls’, ‘get’ and ‘put’ (and disabling ‘chgrp’, ‘chmod’, ‘chown’, ‘df’ etc …). Is there a way to achieve it, natively or with using a third-party software ?
> 
> There were some published OpenSSH chroot patches years ago, but
> they've been repeatedly rejected for various security reasons. The
> underlying reasoning seems to be that a chroot cage is not a
> completely reliable security measure, since enough of the operating
> system is necessarily exposed inside the chroot cage to create a risk
> of possible exploitation and access to the hosting system. I've
> personally disagreed with this approach for a long time, because the
> lack of such tools leaves many casual adminstrators simply exposing
> their systems with full shell access and much less limited otols..
> 
> There is an old add-on tool called "rssh" that pretty effectively
> limits access to rsync, sftp, or scp on a selectable and configurable
> basis for specific users. It does badly need an update to its chroot
> cage building tool, which I've submitted as a patch and the maintainer
> of rssh has elected not to manage or maintain that tool. Rssh is
> available at http://www.pizzashack.org/rssh/.. My chroot cage building
> tools to go with it are at
> https://github.com/nkadel/rssh-chroot-tools.
> 
> Another fast and dirty tool is to use the "validate-rsync.sh" tool
> locked to SSH key "command" settings, to fairly effectively allow only
> rsync access.
> 
> Another approach is to give up on sftp, which does have some
> longstanding limitations, and use more cage-manageable tools like
> WebDAV over HTTPS, which is more easily published as a pure user-space
> without any other chroot cage components in it and is Apache
> supported, or even plain old FTPS, which also works well and is built
> into vsftpd.
> 
> 
>> Alexandre MALDEME
>> Analyste d'exploitation
>> [cid:image025b45.PNG at eb29890d.49b3fa4c]<http://>        +33 (0)9 74 74 88 05
>> [www.olkypay.com]<http://www.olkypay.com>
>> www.olkypay.com<http://www.olkypay.com>
>> 
>> [cid:image47a4b4.GIF at a587ac6d.4190a711]
>>         Please consider the environment before printing this email message.
>> 
>> Ce message ainsi que les eventuelles pieces jointes constituent une correspondance privee et confidentielle a l'attention exclusive du destinataire designe ci-dessus. Si vous n'etes pas le destinataire du present message ou une personne susceptible de pouvoir le lui delivrer, merci d'en avertir A.MALDEME at olky.eu<mailto:A.MALDEME at olky.eu>. Il vous est signifie que toute divulgation, distribution ou copie de cette transmission est strictement interdite. Si vous avez recu ce message par erreur, nous vous remercions d'en informer A.MALDEME at olky.eu<mailto:A.MALDEME at olky.eu> par telephone ou de lui retourner le present message, puis d'effacer immediatement ce message de votre systeme
>> 
>> This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify A.MALDEME at olky.eu<mailto:A.MALDEME at olky.eu>. This message contains confidential information and is intended only for the individuals named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify A.MALDEME at olky.eu<mailto:A.MALDEME at olky.eu> immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

More information about the openssh-unix-dev mailing list