bugzilla-daemon at bugzilla.mindrot.org
2010-Dec-09 23:59 UTC
[Bug 1844] New: Explicit file permissions enhancement to sftp-server
https://bugzilla.mindrot.org/show_bug.cgi?id=1844
Summary: Explicit file permissions enhancement to sftp-server
Product: Portable OpenSSH
Version: 5.6p1
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P2
Component: sftp-server
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: candland at xmission.com
Created attachment 1973
--> https://bugzilla.mindrot.org/attachment.cgi?id=1973
Force file permissions for sftp-server
Hello,
I have found that I require more control over file permissions for
incoming files via sftp-server/internal-sftp than the -u <umask>
parameter can provide.
Please see the attached patch. It adds yet another option to
sftp-server (-m) that will force file permissions and will ignore
permissions specified by the client. The numeric permissions following
the -m parameter are bounds checked by the same method now used for the
-u parameter and can only range from 0 - 0777.
Implementation in sshd_config would obviously be something like:
-----------------------------------------------
Match Group sftponly
ChrootDirectory /home/chroot-%u
ForceCommand internal-sftp -m 660
-----------------------------------------------
or
----------------------------------------------------
Subsystem sftp /path/to/sftp-server -m 600
----------------------------------------------------
I have tested extensively on several Linux distributions and have been
using the changes in our production sftp-server environment.
Note that the attached patch updates sftp-server.8 version 1.19 and
sftp-server.c version 1.93.
Please consider including this change or something similar in the next
release.
Thanks!
-Rob Candland
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Oct-08 15:08 UTC
[Bug 1844] Explicit file permissions enhancement to sftp-server
https://bugzilla.mindrot.org/show_bug.cgi?id=1844
Donjan <bryonak at freenet.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |bryonak at freenet.de
--- Comment #1 from Donjan <bryonak at freenet.de> 2011-10-09 02:08:29 EST
---
I strongly support this patch or alternatively the sftpfilecontrol one
(http://sftpfilecontrol.sourceforge.net/).
Usage scenario:
Client opens sftp connection to server, browses to a setgid 'workgroup'
directory (he's in the corresponding group) and creates a new file. In
order for other users in this group to be able to edit the file, it
should have ...rw-... permissions.
By using the -u flag in sshd_confg:
Subsystem sftp /usr/lib/openssh/sftp-server -u002
The client's umask gets shadowed, but not overridden. That is, if the
client has 022 for his umask (as most do), the -u flag can't achieve
g+w on new files (it does however, for example, correctly flatten the
group permissions with -u070).
This should be independent of wildly varying client setups, so asking
every user to change his local umask is not a practicable way.
The patch in this report would allow setting a -m flag in sshd_config,
the sftpfilecontrol patch mentioned above would allow a SftpUmask
option also in sshd_config. Any of which would be highly useful for the
described setup.
Thanks and best wishes
Donjan Rodic
PS: Rob, does your patch handle directories as well?
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2012-May-09 14:38 UTC
[Bug 1844] Explicit file permissions enhancement to sftp-server
https://bugzilla.mindrot.org/show_bug.cgi?id=1844
Rooney <rooneymailguard-mr at yahoo.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |rooneymailguard-mr at yahoo.co
| |m
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2012-May-09 18:26 UTC
[Bug 1844] Explicit file permissions enhancement to sftp-server
https://bugzilla.mindrot.org/show_bug.cgi?id=1844 --- Comment #2 from Rob Candland <candland at xmission.com> 2012-05-10 04:26:12 EST --- My apologies for not responding more quickly. Due to lack of support from the OpenSSH team I have not released further patches but with the existing patch you should be able to patch newer versions of the sftp-server.c file and even the man page. The patch isn't a very elegant solution but it gets the job done and IMO makes the sftp server even more useful than it already is. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.