openssh unix dev - Dec 2017 - [SFTP] Possibility for Adding "ForceFilePermission" option

Hi,

I understand that if I specify `ForceCommand internal-sftp -u <umask>`,
the permission of any files uploaded via sftp will be calculated by
`<original permission> & ~umask`. However, this can be bypassed by the
`-P` option of `put` command. We are developing a shared hosting platform,
therefore we definitely don?t want our users being able to upload any executable
files. We can not disable the x permission by umask because directories need the
x permission.

Is there any possible way to accomplish this? or is it possible to add a
`ForceFilePermission` and `ForceDirPermission` option in the sshd_config ?

Thanks & Best Regards,
House

On 2017-12-14T17:28, House Lee <hlee at vendasta.com>
wrote:
> Hi,
> 
> I understand that if I specify `ForceCommand internal-sftp -u
<umask>`, the permission of any files uploaded via sftp will be calculated
by `<original permission> & ~umask`. However, this can be bypassed by
the `-P` option of `put` command. We are developing a shared hosting platform,
therefore we definitely don?t want our users being able to upload any executable
files. We can not disable the x permission by umask because directories need the
x permission.
> 
> Is there any possible way to accomplish this? or is it possible to add a
`ForceFilePermission` and `ForceDirPermission` option in the sshd_config ?
Mount the filesystem in question with 'noexec', you probably also want
'nosuid' and 'nodev' anyways.



Ciao,

Alexander Wuerstlein.

On Thu, 2017-12-14 at 10:26 -0600, House Lee wrote:
> Hi,
> 
> I understand that if I specify `ForceCommand internal-sftp -u
> <umask>`, the permission of any files uploaded via sftp will be
> calculated by `<original permission> & ~umask`. However, this can
be
> bypassed by the `-P` option of `put` command. We are developing a
> shared hosting platform, therefore we definitely don?t want our users
> being able to upload any executable files. We can not disable the x
> permission by umask because directories need the x permission. 
> 
> Is there any possible way to accomplish this? or is it possible to
> add a `ForceFilePermission` and `ForceDirPermission` option in the
> sshd_config ?
> 
> Thanks & Best Regards,
> House

Hello,
during last month, there were already two emails in this mailing list
discussing this issue:

https://lists.mindrot.org/pipermail/openssh-unix-dev/2017-
November/036468.html

The patch exists here since 2010 and it is currently used in
Fedora/RHEL to a great satisfaction, though it was never accepted by
upstream nor there was any official statement if they will eventually
accept this change or why not (and in which I would be greatly
interested).

Best advise I have is to pull that patch from the linked thread above.
Or have some script that is fixing the files permissions upon upload.

Regards,
Jakub

-- 
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.

On 18/12/17 22:33, Jakub Jelen wrote:
> during last month, there were already two emails in this mailing list
> discussing [forced permissions]:
>
> https://lists.mindrot.org/pipermail/openssh-unix-dev/2017-
> November/036468.html
This seems like a reasonable and useful feature.? It's simple to 
implement, and, (apparently) there's already a patch to do it.

I can think of one reason why further thought is required.? It could be 
argued that this needs to be determined per-user.? That is, should there 
be some way to specify a group of users for whom permissions are not 
forced; or, in the alternative, a group of users for whom permissions 
must be forced.

I'm sorry to have erected what might seem to be a block to 
implementation of this very good idea.? It is not my intention to block 
it; I encourage it!, in part because I have a use for it.? I offer my 
help as a programmer of 40 years practice (although I perceive that 
that's not needed.)

Hi Jakub,

Sorry for the late reply. I was off from work for a few days. 

I?ve tried to add the noexec, nosuid and nodev mount options but it seems to
have some difficulties to do so with kubernetes nfs-mount. I?ll keep trying to
resolve it anyway.

The patch you pasted is exactly the thing I wanna have. I think it?s super
useful and I definitely vote yes for merging it to master. I was actually
planning to create a patch myself if not seeing your reply. Is it possible to
raise a concern about this patch in the developer group?

Regarding the ?a script that fixes file permissions upon upload?, this is also
an interesting idea. But how do I add a hook that is listening to the upload
events?

Thanks & Best Regards
House

> On Dec 18, 2017, at 06:03, Jakub Jelen <jjelen at redhat.com> wrote:
> 
> On Thu, 2017-12-14 at 10:26 -0600, House Lee wrote:
>> Hi,
>> 
>> I understand that if I specify `ForceCommand internal-sftp -u
>> <umask>`, the permission of any files uploaded via sftp will be
>> calculated by `<original permission> & ~umask`. However, this
can be
>> bypassed by the `-P` option of `put` command. We are developing a
>> shared hosting platform, therefore we definitely don?t want our users
>> being able to upload any executable files. We can not disable the x
>> permission by umask because directories need the x permission. 
>> 
>> Is there any possible way to accomplish this? or is it possible to
>> add a `ForceFilePermission` and `ForceDirPermission` option in the
>> sshd_config ?
>> 
>> Thanks & Best Regards,
>> House
> 
> 
> Hello,
> during last month, there were already two emails in this mailing list
> discussing this issue:
> 
> https://lists.mindrot.org/pipermail/openssh-unix-dev/2017-
> November/036468.html
> 
> The patch exists here since 2010 and it is currently used in
> Fedora/RHEL to a great satisfaction, though it was never accepted by
> upstream nor there was any official statement if they will eventually
> accept this change or why not (and in which I would be greatly
> interested).
> 
> Best advise I have is to pull that patch from the linked thread above.
> Or have some script that is fixing the files permissions upon upload.
> 
> Regards,
> Jakub
> 
> -- 
> Jakub Jelen
> Software Engineer
> Security Technologies
> Red Hat, Inc.