[SOLVED] SFTP Resticting Only Uploading Of A File

metallica1973 · 10-15-2013, 04:10 PM

I have setup our SFTP server:

Code:

SFTP Setup:

/etc/ssh/sshd_config:

    Subsystem sftp internal-sftp

    Match Group sftpusers
    PasswordAuthentication yes
    ChrootDirectory /srv/sftponly
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

Adding the sftp group:

    groupadd sftpusers

Creating the only account for SFTP Access

    useradd -d /srv/sftponly -g sftpusers -s /bin/false sftpuser
    passwd sftpuser

Restart openssh:

    /etc/init.d/ssh restart

Setting Permission for the directory

chown root:root /srv ; chown root:root /srv/sftponly ; chmod 755 /srv ; chmod 755 /srv/sftponly

Making a Public Directory:

mkdir /srv/sftponly/public
chown sftpuser:sftpusers /srv/sftponly/public/
chmod 333 /srv/sftponly/public/
ls -ltd
d-wx-wx-wx 2 sftpuser sftpusers 4096 Oct 15 14:51 /srv/sftponly/public/

This allows people to upload a file, doesnt allow you to be able to list anything which is perfect but I need to take it a step further and not allow downloading of anything. So for example, I upload a file called test_file.txt(sensitive data), using SFTP and if someone else knows this filename he can download it by specifyiing the same name. Is it possible to restrict SFTP to only allow uploading of a file, not being able to list anything and ultimately not allowing downloading of anyfile regardless if the name is known?

Habitual · 10-16-2013, 11:51 AM

maybe run a very short timed cron to mv files to another directory?

If I had to try that, I'd utilize

Code:

lsof +D /srv/sftponly

and if it wasn't in "use", then allow the script to "move it|them.

Just an idea.

metallica1973 · 10-16-2013, 02:29 PM

Many thanks for the reply. That is the direction I will go with.

Habitual · 10-16-2013, 05:35 PM

Thank me if and when my suggestion works.

I like your recipe, I had to utilize "Match User" because "Match Group sftpusers" just wouldn't 'take' on Ubuntu 12.04.2 LTS
go figure.

metallica1973 · 10-21-2013, 02:19 PM

So that people wont have to go through this pain:

SFTP Setup:

Edit /etc/ssh/sshd_config:

Subsystem sftp internal-sftp

Add the rule to match a group.

Match Group sftpusers
PasswordAuthentication yes
ChrootDirectory /srv/sftponly/public
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp

Add the sftp group:

groupadd sftpusers

Add user:

useradd -d /srv/sftponly/public -g sftpusers -s /bin/false testuser
passwd testuser

Set permissions of directory(chroot path has to be owned by root and only have write access for root!) with whatever public folder having the correct permissions(in this case "testuser" is the public folder with chmod 300 (wx) as the permissions of the folder.

d-wx------ 2 testuser sftpuser 4096 Oct 17 21:11 /srv/sftponly/public/testuser/

Next:

root@SE01:~# chown root:root /srv ; chown root:root /srv/sftponly ; chown root:root /srv/sftponly/public; mkdir /srv/sftponly/public/testuser; chown testuser:sftpuser /svr/sftpuser/public/testuser

root@SE01:~# ls -ldt /srv/
drwxr-xr-x 3 root root 4096 Oct 7 11:10 /srv/
root@SE01:~# ls -ldt /srv/sftponly/
drwxr-xr-x 3 root root 4096 Oct 15 13:56 /srv/sftponly/
root@SE01:~# ls -ldt /srv/sftponly/public/
drwxr-xr-x 3 root root 4096 Oct 17 17:47 /srv/sftponly/public/
root@SE01:~# ls -ldt /srv/sftponly/public/sendus/
d-wx------ 2 testuser sftpuser 4096 Oct 17 21:11 /srv/sftponly/public/testuser/

Finally set the umask for the files that are being uploaded /etc/pam.d/sshd

session optional pam_umask.so umask=0400

Default Directory Permissions 777
Default File Permissions 666

To get file permission that is desired

666-266(umask)= 400 = resulting files of

--w------- 1 testuser sftpusers 5 Oct 21 14:00 blah-blah

Now, start openssh:

/etc/init.d/ssh restart