Blacklisting/whitelisting sftp-server commands

Travis Hayes travis.hayes at
Fri Sep 3 09:05:47 AEST 2021

I'm running OpenSSH_7.4p1 (CentOS7) and have been asked to build a sort of
"drop box" to allow clients read-only access from a certain directory.

Right now, I've implemented this with the following lines in

Subsystem sftp internal-sftp
Match User update_user
ChrootDirectory /opt/dropbox
ForceCommand internal-sftp -d / -R

This is mostly working; it's allowing read-only access and restricting the
connecting user to the /opt/dropbox directory. I am concerned about the
following note in the man page: 'For file transfer sessions using ''sftp'',
no additional configuration of the environment is necessary if the
in-process sftp server is used, *though sessions which use logging do
require **/dev/log inside the chroot directory'*

As I haven't created a /dev/log socket in the directory, I am concerned
that there is logging information I will wish I had.

Looking at the -p and -P options, I wonder if there isn't a more
fine-grained approach possible, to perhaps whitelist only the commands
necessary for two operations: to list the contents of the current directory
and retrieve the files. My attempts so far to restrict opendir, lstat,
read, readdir, realpath, etc. haven't been successful. For example,
restricting "opendir" gives an error that the client can't get the CWD and
the session fails.

Any pointers?



More information about the openssh-unix-dev mailing list