Hello, Couple of days ago, I received a request from a customer. He wants to provide sftp users access to a directory tree containing files. The users must have full rights, but he also wants to avoid moving or deleting directories. This is mostly to prevent mistakenly drag and drop from user's graphical client (Filezilla). Said differently, he wants to protect the directories organization. First, I tried to find how to do that from system point of view. But it looks not easilly possible according to what customer wants to do. So as a proof of concept, I decided to do it from the application side, modifying the sftp server by answering ok and not doing the rmdir and rename commands (ugly patch below). It works as expected and seems to satisfy the customer. Do you think, it is something that could be implemented upstream ? Of course, I think about a proper patch that as an example will allow to disable specific sftp commands on some users. If yes, I could probably write one but I will need some guidance to do it and design it properly. Regards. Ren?. Patch below : Note : This patch was written to be used on Centos6.9 which is using an old openssh version. diff openssh-5.3p1/sftp-server.c openssh-5.3p1.patched/sftp-server.c 949a950 993,994c1001,1004 < ret = rmdir(name); < status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; ---> /*ret = rmdir(name); > status = (ret == -1) ? errno_to_portable(errno) :SSH2_FX_OK;> */ > status = SSH2_FX_OK;1040a1051,1053> else if (S_ISDIR(sb.st_mode)) { > status = SSH2_FX_OK; > }
On Wed, 6 Sep 2017, Ren? Ribaud wrote:> Hello, > > Couple of days ago, I received a request from a customer. > He wants to provide sftp users access to a directory tree containing files. > The users must have full rights, but he also wants to avoid moving or > deleting directories. This is mostly to prevent mistakenly drag and > drop from user's graphical client (Filezilla). > Said differently, he wants to protect the directories organization. > > First, I tried to find how to do that from system point of view. But it > looks not easilly possible according to what customer wants to do. > > So as a proof of concept, I decided to do it from the application side, > modifying the sftp server by answering ok and not doing the rmdir and > rename commands (ugly patch below). > It works as expected and seems to satisfy the customer. > > Do you think, it is something that could be implemented upstream ?I added this ability 4 years ago. See the -p/-P and -Q flags for sftp-server. These are the requests that can be while/blacklisted: [djm at natsu]$ /usr/libexec/sftp-server -Q requests open close read write lstat fstat setstat fsetstat opendir readdir remove mkdir rmdir realpath stat rename readlink symlink posix-rename statvfs fstatvfs hardlink fsync -d
On Thu, 2017-09-07 at 09:13 +1000, Damien Miller wrote:> On Wed, 6 Sep 2017, Ren? Ribaud wrote: > > > Hello, > > > > Couple of days ago, I received a request from a customer. > > He wants to provide sftp users access to a directory tree > > containing files. > > The users must have full rights, but he also wants to avoid moving > > or > > deleting directories. This is mostly to prevent mistakenly drag and > > drop from user's graphical client (Filezilla). > > Said differently, he wants to protect the directories organization. > > > > First, I tried to find how to do that from system point of view. > > But it > > looks not easilly possible according to what customer wants to do. > > > > So as a proof of concept, I decided to do it from the application > > side, > > modifying the sftp server by answering ok and not doing the rmdir > > and > > rename commands (ugly patch below). > > It works as expected and seems to satisfy the customer. > > > > Do you think, it is something that could be implemented upstream ? > > I added this ability 4 years ago. See the -p/-P and -Q flags for > sftp-server. > > These are the requests that can be while/blacklisted: > > [djm at natsu]$ /usr/libexec/sftp-server -Q requests > open > close > read > write > lstat > fstat > setstat > fsetstat > opendir > readdir > remove > mkdir > rmdir > realpath > stat > rename > readlink > symlink > posix-rename > statvfs > fstatvfs > hardlink > fsync > > -d >Sorry, I completely missed these options mainly because it is not available with the CentOS 6 sftp-server. And I don't know why, I didn't checked the man pages of the latest release.... Anyway thank you really much Damien that's exactly what we need. Regards. Ren?.