Hi, Thanks a lot for this great software :) I'm trying to do something to secure my server. I need to disable removing file or removing directory using SFTP. In other words, the user can only write, move but not delete the file. This will be used to store logs so, I need to make sure once the logs written to my server the user cannot remove it. I tried doing this by changing the code of process_remove from: static void process_remove(void) { char *name; u_int32_t id; int status = SSH2_FX_FAILURE; int ret; id = get_int(); name = get_string(NULL); debug3("request %u: remove", id); logit("remove name \"%s\"", name); if (readonly) status = SSH2_FX_PERMISSION_DENIED; else { ret = unlink(name); status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; } send_status(id, status); xfree(name); } To : static void process_remove(void) { char *name; u_int32_t id; int status = SSH2_FX_FAILURE; int ret; id = get_int(); name = get_string(NULL); debug3("request %u: remove", id); logit("remove name \"%s\"", name); status = SSH2_FX_PERMISSION_DENIED; send_status(id, status); xfree(name); } Am I doing it right? because it's not working and I don't know why. Thanks a lot. -- Best Regards, Ahmad Zayed
On 23 October 2012 08:48, Ahmad Zayed <az1fantastic at gmail.com> wrote:> I'm trying to do something to secure my server. I need to disable removing file or removing directory using SFTP.Set the "sappend" flag on the directory. -- Eitan Adler
On Tue, 23 Oct 2012, Ahmad Zayed wrote:> Am I doing it right? because it's not working and I don't know why. Thanks > a lot.Your change looks fine, so I guess you either forgot to install it, installed it in the wrong location, or are using internal-sftp and forgot to restart sshd -d
Hi Ben, Thanks for reply, So to make it work I have to recompile open ssh package after changing sftp.c file and edit do_rm & do_rmdir functions? Thanks On Oct 24, 2012 7:56 PM, "Ben Lindstrom" <mouring at eviladmin.org> wrote:> > On Oct 24, 2012, at 11:17 AM, Ahmad Zayed <az1fantastic at gmail.com> wrote: > > > Dear Damien, > > Good day > > > > Thanks for your reply > > > > This is what I found, the modified version of sftp-server is working but > > the user I tried is configure under chroot environment and I am using the > > internal-sftp as force command. > > > > Today I tried to find out where I can modify this so I can clean out > do_rm > > & do_rmdir functions > > > The existing code change will work, but you need to recompile the sshd and > run > that instead of the one that comes with the base OS. As you are using > internal-sftp > which takes that code and compiles it directly into the sshd. > > - Ben
From: Ahmad Zayed [mailto:az1fantastic at gmail.com] Sent: Wednesday, October 24, 2012 11:42 AM To: Scott Neugroschl Subject: RE: Disable rm on sftp Hi Scott, Thanks for reply, for the record I tried to compile after changing sftp.c file and I moved sftp binary file to /usr/local/bin but nothing change As you recommend I might need to recompile all open ssh package Thanks On Oct 24, 2012 9:19 PM, "Scott Neugroschl" <scott_n at xypro.com> wrote: [[SAN]] Ahmad, You have to reinstall sshd after recompiling. This is a server function.