Mailing List Archive

[Bug 3451] New: Log which sftp command has been denied due to blacklist
https://bugzilla.mindrot.org/show_bug.cgi?id=3451

Bug ID: 3451
Summary: Log which sftp command has been denied due to
blacklist
Product: Portable OpenSSH
Version: v9.0p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sftp-server
Assignee: unassigned-bugs@mindrot.org
Reporter: daku8938@gmx.de

When restricting the allowed sftp-server commands with the
whitelist/blacklist options (-p / -P)

and the client requests a disallowed command, it is only logged "sent
status Permission denied":

internal-sftp[1234]: sent status Permission denied

For transparency (if multiple commands are not allowed, to be able to
distinguish), it would be better that the denied command would be
logged, too, e.g.

internal-sftp[1234]: sent status Permission denied (mkdir)

I think it would be sufficient to only log the command without any
parameters (like directory names), like above, to be clear that the
command in general is forbidden, regardless of it's parameters.

Here is my -p whitelist, which does not contain rmdir/mkdir and works
fine, aside of the non-saying log.

Subsystem sftp internal-sftp
ForceCommand internal-sftp -u 0002 -f LOCAL5 -l INFO -p
open,close,read,write,lstat,fstat,setstat,fsetstat,opendir,readdir,remove,realpath,stat,rename,readlink,symlink,posix-rename,statvfs,fstatvfs,hardlink,fsync

I could not see in the release notes

https://www.openssh.com/releasenotes.html

that this logging would have changed since the version I am currently
using, which is 7.6p1-4ubuntu0.5 on Ubuntu 18 Server.

--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs