openssh bugs - Jun 2022 - [Bug 3451] New: Log which sftp command has been denied due to blacklist

https://bugzilla.mindrot.org/show_bug.cgi?id=3451

            Bug ID: 3451
           Summary: Log which sftp command has been denied due to
                    blacklist
           Product: Portable OpenSSH
           Version: v9.0p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sftp-server
          Assignee: unassigned-bugs at mindrot.org
          Reporter: daku8938 at gmx.de

When restricting the allowed sftp-server commands with the
whitelist/blacklist options (-p / -P)

and the client requests a disallowed command, it is only logged "sent
status Permission denied":

internal-sftp[1234]: sent status Permission denied

For transparency (if multiple commands are not allowed, to be able to
distinguish), it would be better that the denied command would be
logged, too, e.g.

internal-sftp[1234]: sent status Permission denied (mkdir)

I think it would be sufficient to only log the command without any
parameters (like directory names), like above, to be clear that the
command in general is forbidden, regardless of it's parameters.

Here is my -p whitelist, which does not contain rmdir/mkdir and works
fine, aside of the non-saying log.

Subsystem sftp internal-sftp
ForceCommand internal-sftp -u 0002 -f LOCAL5 -l INFO -p
open,close,read,write,lstat,fstat,setstat,fsetstat,opendir,readdir,remove,realpath,stat,rename,readlink,symlink,posix-rename,statvfs,fstatvfs,hardlink,fsync

I could not see in the release notes

https://www.openssh.com/releasenotes.html

that this logging would have changed since the version I am currently
using, which is 7.6p1-4ubuntu0.5 on Ubuntu 18 Server.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3451

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |WORKSFORME
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
The refused request is already logged at loglevel VERBOSE. Add "-l
verbose" to your sftp-server command-line and you will see it. E.g.
> Refusing denylisted mkdir request
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3451

--- Comment #2 from Miranda <daku8938 at gmx.de> ---
Can confirm solution ist sftp-server log level VERBOSE for
7.6p1-4ubuntu0.5 on Ubuntu 18 Server.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3451

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
Closing bugs from openssh-9.1 release cycle

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.