House Lee
2017-Dec-14 16:26 UTC
[SFTP] Possibility for Adding "ForceFilePermission" option
Hi, I understand that if I specify `ForceCommand internal-sftp -u <umask>`, the permission of any files uploaded via sftp will be calculated by `<original permission> & ~umask`. However, this can be bypassed by the `-P` option of `put` command. We are developing a shared hosting platform, therefore we definitely don?t want our users being able to upload any executable files. We can not disable the x permission by umask because directories need the x permission. Is there any possible way to accomplish this? or is it possible to add a `ForceFilePermission` and `ForceDirPermission` option in the sshd_config ? Thanks & Best Regards, House
Alexander Wuerstlein
2017-Dec-14 17:12 UTC
[SFTP] Possibility for Adding "ForceFilePermission" option
On 2017-12-14T17:28, House Lee <hlee at vendasta.com> wrote:> Hi, > > I understand that if I specify `ForceCommand internal-sftp -u <umask>`, the permission of any files uploaded via sftp will be calculated by `<original permission> & ~umask`. However, this can be bypassed by the `-P` option of `put` command. We are developing a shared hosting platform, therefore we definitely don?t want our users being able to upload any executable files. We can not disable the x permission by umask because directories need the x permission. > > Is there any possible way to accomplish this? or is it possible to add a `ForceFilePermission` and `ForceDirPermission` option in the sshd_config ?Mount the filesystem in question with 'noexec', you probably also want 'nosuid' and 'nodev' anyways. Ciao, Alexander Wuerstlein.
Jakub Jelen
2017-Dec-18 12:03 UTC
[SFTP] Possibility for Adding "ForceFilePermission" option
On Thu, 2017-12-14 at 10:26 -0600, House Lee wrote:> Hi, > > I understand that if I specify `ForceCommand internal-sftp -u > <umask>`, the permission of any files uploaded via sftp will be > calculated by `<original permission> & ~umask`. However, this can be > bypassed by the `-P` option of `put` command. We are developing a > shared hosting platform, therefore we definitely don?t want our users > being able to upload any executable files. We can not disable the x > permission by umask because directories need the x permission. > > Is there any possible way to accomplish this? or is it possible to > add a `ForceFilePermission` and `ForceDirPermission` option in the > sshd_config ? > > Thanks & Best Regards, > HouseHello, during last month, there were already two emails in this mailing list discussing this issue: https://lists.mindrot.org/pipermail/openssh-unix-dev/2017- November/036468.html The patch exists here since 2010 and it is currently used in Fedora/RHEL to a great satisfaction, though it was never accepted by upstream nor there was any official statement if they will eventually accept this change or why not (and in which I would be greatly interested). Best advise I have is to pull that patch from the linked thread above. Or have some script that is fixing the files permissions upon upload. Regards, Jakub -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc.
David Newall
2017-Dec-18 15:33 UTC
[SFTP] Possibility for Adding "ForceFilePermission" option
On 18/12/17 22:33, Jakub Jelen wrote:> during last month, there were already two emails in this mailing list > discussing [forced permissions]: > > https://lists.mindrot.org/pipermail/openssh-unix-dev/2017- > November/036468.htmlThis seems like a reasonable and useful feature.? It's simple to implement, and, (apparently) there's already a patch to do it. I can think of one reason why further thought is required.? It could be argued that this needs to be determined per-user.? That is, should there be some way to specify a group of users for whom permissions are not forced; or, in the alternative, a group of users for whom permissions must be forced. I'm sorry to have erected what might seem to be a block to implementation of this very good idea.? It is not my intention to block it; I encourage it!, in part because I have a use for it.? I offer my help as a programmer of 40 years practice (although I perceive that that's not needed.)
House Lee
2017-Dec-18 16:46 UTC
[SFTP] Possibility for Adding "ForceFilePermission" option
Hi Jakub, Sorry for the late reply. I was off from work for a few days. I?ve tried to add the noexec, nosuid and nodev mount options but it seems to have some difficulties to do so with kubernetes nfs-mount. I?ll keep trying to resolve it anyway. The patch you pasted is exactly the thing I wanna have. I think it?s super useful and I definitely vote yes for merging it to master. I was actually planning to create a patch myself if not seeing your reply. Is it possible to raise a concern about this patch in the developer group? Regarding the ?a script that fixes file permissions upon upload?, this is also an interesting idea. But how do I add a hook that is listening to the upload events? Thanks & Best Regards House> On Dec 18, 2017, at 06:03, Jakub Jelen <jjelen at redhat.com> wrote: > > On Thu, 2017-12-14 at 10:26 -0600, House Lee wrote: >> Hi, >> >> I understand that if I specify `ForceCommand internal-sftp -u >> <umask>`, the permission of any files uploaded via sftp will be >> calculated by `<original permission> & ~umask`. However, this can be >> bypassed by the `-P` option of `put` command. We are developing a >> shared hosting platform, therefore we definitely don?t want our users >> being able to upload any executable files. We can not disable the x >> permission by umask because directories need the x permission. >> >> Is there any possible way to accomplish this? or is it possible to >> add a `ForceFilePermission` and `ForceDirPermission` option in the >> sshd_config ? >> >> Thanks & Best Regards, >> House > > > Hello, > during last month, there were already two emails in this mailing list > discussing this issue: > > https://lists.mindrot.org/pipermail/openssh-unix-dev/2017- > November/036468.html > > The patch exists here since 2010 and it is currently used in > Fedora/RHEL to a great satisfaction, though it was never accepted by > upstream nor there was any official statement if they will eventually > accept this change or why not (and in which I would be greatly > interested). > > Best advise I have is to pull that patch from the linked thread above. > Or have some script that is fixing the files permissions upon upload. > > Regards, > Jakub > > -- > Jakub Jelen > Software Engineer > Security Technologies > Red Hat, Inc.