Disabling specific commands in sftp
Darren Tucker
dtucker at zip.com.au
Sun Feb 12 16:30:35 AEDT 2017
On Sun, Feb 12, 2017 at 5:12 AM, Nico Kadel-Garcia <nkadel at gmail.com> wrote:
> On Fri, Feb 10, 2017 at 3:20 AM, Alexandre MALDEME <A.MALDEME at olky.eu> wrote:
>> Hi,
>>
>> On CentOS 7 I’m trying to set up a chrooted SFTP server on which specific users can only read and write on specific folder. And I’d like to disable some commands, so the users can only do ‘cd’, ‘ls’, ‘get’ and ‘put’ (and disabling ‘chgrp’, ‘chmod’, ‘chown’, ‘df’ etc …). Is there a way to achieve it, natively or with using a third-party software ?
>
> There were some published OpenSSH chroot patches years ago, but
> they've been repeatedly rejected for various security reasons.
Err, sshd has ChrootDirectory which was added in the version 4.8
(released in 2008):
https://www.openssh.com/releasenotes.html#4.8
sftp-server has flags -P and -p which blacklist and whitelist requests
respectively which were added in 6.5:
https://www.openssh.com/releasenotes.html#6.5.
ChrootDirectory can be used inside a Match User block, but right now
Subsystem can't. If Alexandre can get away with setting -P or -p
globally for sftp-internal for all users then it should be possible,
and Subsystem could be made to work inside a Match block with a bit of
work.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list