openssh bugs - Feb 2012 - [Bug 1979] New: Enhancement patch: Restrict sftp-server to basic commands, by user or group

https://bugzilla.mindrot.org/show_bug.cgi?id=1979

             Bug #: 1979
           Summary: Enhancement patch: Restrict sftp-server to basic
                    commands, by user or group
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 5.9p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: sftp-server
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: jdmossh at nand.net


Created attachment 2128
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2128
Patch versus 5.9p1

This patch adds the ability to restrict an sftp-server user to just
basic commands such as get, put, readdir, and readlink, and prohibit
mkdir, rmdir, rename, symlink, setstat and their equivalents.

It comes with an sshd_config option (RestrictSFtpSysToBasics) which can
be global or in a Match block.

I've found it helpful, and that request occasionally comes up on the
openssh-unix-dev list.

Please give feedback and consider it for inclusion.  Patches are
attached against both 5.9p1 and openbsd's 5.9.

A more advanced enhancement might let the server admin specify which
commands to permit/deny; I think this is a good start.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1979

--- Comment #1 from Jeremy Monin <jdmossh at nand.net> 2012-02-13 06:40:01
EST ---
Created attachment 2129
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2129
Patch versus 5.9

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1979

Jeremy Monin <jdmossh at nand.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2128|application/octet-stream    |text/plain
          mime type|                            |
   Attachment #2128|0                           |1
           is patch|                            |

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1979

Jeremy Monin <jdmossh at nand.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jdmossh at nand.net

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1979

cludvigg56 at yahoo.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |cludvigg56 at yahoo.com

--- Comment #2 from cludvigg56 at yahoo.com 2012-06-18 17:28:02 EST ---
hi jeremy, i just would like to ask on how to apply this patch?(sorry
just a noob in linux)

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.