Blacklisting/whitelisting sftp-server commands

Damien Miller djm at
Fri Sep 3 14:46:47 AEST 2021

On Thu, 2 Sep 2021, Travis Hayes wrote:

> I'm running OpenSSH_7.4p1 (CentOS7) and have been asked to build a sort of
> "drop box" to allow clients read-only access from a certain directory.
> Right now, I've implemented this with the following lines in
> /etc/ssh/sshd_config:
> Subsystem sftp internal-sftp
> Match User update_user
> ChrootDirectory /opt/dropbox
> ForceCommand internal-sftp -d / -R
> This is mostly working; it's allowing read-only access and restricting the
> connecting user to the /opt/dropbox directory. I am concerned about the
> following note in the man page: 'For file transfer sessions using ''sftp'',
> no additional configuration of the environment is necessary if the
> in-process sftp server is used, *though sessions which use logging do
> require **/dev/log inside the chroot directory'*
> As I haven't created a /dev/log socket in the directory, I am concerned
> that there is logging information I will wish I had.

There's very little logged at the default loglevel, but most operations
are logged at -lVERBOSE.

> Looking at the -p and -P options, I wonder if there isn't a more
> fine-grained approach possible, to perhaps whitelist only the commands
> necessary for two operations: to list the contents of the current directory
> and retrieve the files. My attempts so far to restrict opendir, lstat,
> read, readdir, realpath, etc. haven't been successful. For example,
> restricting "opendir" gives an error that the client can't get the CWD and
> the session fails.

Yes, most clients issue an FXP_OPENDIR to figure out their "home
directory" since the protocol has no notion of one other than the
current working directory the server starts at.

For listing and downloading files, you'll need to allow something like:


More information about the openssh-unix-dev mailing list