search for: bwrap

...'re on Linux, then maybe you could cook something up using > namespaces and bind mounts to simplify this. A while ago I used the following bubblewrap-based login shell to implement said Linux namespace and bind mount solution to give restricted shell access to a mostly trusted user. Using bwrap saves the perilous trouble of writing a safe setuid solution yourself. Could be extended by looking at $SSH_ORIGINAL_COMMAND to get the sftp/rsync behavior you're looking for. Obviously, no guarantees about its safety. For example, a "Subsystem sftp" directive in the sshd_config w...

On Sat, 11 Nov 2023, Bob Proulx wrote: > I am supporting a site that allows members to upload release files. I > have inherited this site which was previously existing. The goal is > to allow members to file transfer to and from their project area for > release distribution but not to allow general shell access and not to > allow access to other parts of the system. > >