Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
10-15-2013, 05:10 PM
|
#1
|
Senior Member
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190
Rep:
|
SFTP Resticting Only Uploading Of A File
I have setup our SFTP server:
Code:
SFTP Setup:
/etc/ssh/sshd_config:
Subsystem sftp internal-sftp
Match Group sftpusers
PasswordAuthentication yes
ChrootDirectory /srv/sftponly
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
Adding the sftp group:
groupadd sftpusers
Creating the only account for SFTP Access
useradd -d /srv/sftponly -g sftpusers -s /bin/false sftpuser
passwd sftpuser
Restart openssh:
/etc/init.d/ssh restart
Setting Permission for the directory
chown root:root /srv ; chown root:root /srv/sftponly ; chmod 755 /srv ; chmod 755 /srv/sftponly
Making a Public Directory:
mkdir /srv/sftponly/public
chown sftpuser:sftpusers /srv/sftponly/public/
chmod 333 /srv/sftponly/public/
ls -ltd
d-wx-wx-wx 2 sftpuser sftpusers 4096 Oct 15 14:51 /srv/sftponly/public/
This allows people to upload a file, doesnt allow you to be able to list anything which is perfect but I need to take it a step further and not allow downloading of anything. So for example, I upload a file called test_file.txt(sensitive data), using SFTP and if someone else knows this filename he can download it by specifyiing the same name. Is it possible to restrict SFTP to only allow uploading of a file, not being able to list anything and ultimately not allowing downloading of anyfile regardless if the name is known?
Last edited by metallica1973; 10-15-2013 at 05:32 PM.
|
|
|
10-16-2013, 12:51 PM
|
#2
|
LQ Veteran
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Rep:
|
maybe run a very short timed cron to mv files to another directory?
If I had to try that, I'd utilize
Code:
lsof +D /srv/sftponly
and if it wasn't in "use", then allow the script to "move it|them.
Just an idea.
|
|
1 members found this post helpful.
|
10-16-2013, 03:29 PM
|
#3
|
Senior Member
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190
Original Poster
Rep:
|
Many thanks for the reply. That is the direction I will go with.
Last edited by metallica1973; 10-18-2013 at 10:48 AM.
|
|
|
10-16-2013, 06:35 PM
|
#4
|
LQ Veteran
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Rep:
|
Thank me if and when my suggestion works.
I like your recipe, I had to utilize "Match User" because "Match Group sftpusers" just wouldn't 'take' on Ubuntu 12.04.2 LTS
go figure.
|
|
1 members found this post helpful.
|
10-21-2013, 03:19 PM
|
#5
|
Senior Member
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190
Original Poster
Rep:
|
So that people wont have to go through this pain:
SFTP Setup:
Edit /etc/ssh/sshd_config:
Subsystem sftp internal-sftp
Add the rule to match a group.
Match Group sftpusers
PasswordAuthentication yes
ChrootDirectory /srv/sftponly/public
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
Add the sftp group:
groupadd sftpusers
Add user:
useradd -d /srv/sftponly/public -g sftpusers -s /bin/false testuser
passwd testuser
Set permissions of directory(chroot path has to be owned by root and only have write access for root!) with whatever public folder having the correct permissions(in this case "testuser" is the public folder with chmod 300 (wx) as the permissions of the folder.
d-wx------ 2 testuser sftpuser 4096 Oct 17 21:11 /srv/sftponly/public/testuser/
Next:
root@SE01:~# chown root:root /srv ; chown root:root /srv/sftponly ; chown root:root /srv/sftponly/public; mkdir /srv/sftponly/public/testuser; chown testuser:sftpuser /svr/sftpuser/public/testuser
root@SE01:~# ls -ldt /srv/
drwxr-xr-x 3 root root 4096 Oct 7 11:10 /srv/
root@SE01:~# ls -ldt /srv/sftponly/
drwxr-xr-x 3 root root 4096 Oct 15 13:56 /srv/sftponly/
root@SE01:~# ls -ldt /srv/sftponly/public/
drwxr-xr-x 3 root root 4096 Oct 17 17:47 /srv/sftponly/public/
root@SE01:~# ls -ldt /srv/sftponly/public/sendus/
d-wx------ 2 testuser sftpuser 4096 Oct 17 21:11 /srv/sftponly/public/testuser/
Finally set the umask for the files that are being uploaded /etc/pam.d/sshd
session optional pam_umask.so umask=0400
Default Directory Permissions 777
Default File Permissions 666
To get file permission that is desired
666-266(umask)= 400 = resulting files of
--w------- 1 testuser sftpusers 5 Oct 21 14:00 blah-blah
Now, start openssh:
/etc/init.d/ssh restart
|
|
|
All times are GMT -5. The time now is 07:12 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|