Mailing List Archive

Adding filename verification to sftp-server
Hello,

In one of the projects, I'd like to restirct what files sftp-server
can deliver. The -p, whitelisting requests helps contain the client,
but does not limit what files they have access too.

If a user has root on their box, they can of course use chroot, but not
every person has root, nor the desire to setup a particular user or
dedicated ssh server for this.

My thought (and implemented) was to add a simple option to sftp-server
to add a list of files that open is permitted to open.

The code is available at:
https://www.funkthat.com/gitea/jmg/openssh-portable.git

on the branch sftp-firewall.

I wasn't sure what the best way to submit a patch was, so let me know
if there is a better way.

Thanks.

--
John-Mark Gurney Voice: +1 415 225 5579

"All that I will do, has been done, All that I have, has not."
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Adding filename verification to sftp-server [ In reply to ]
John-Mark Gurney wrote this message on Mon, Oct 19, 2020 at 12:03 -0700:
> In one of the projects, I'd like to restirct what files sftp-server
> can deliver. The -p, whitelisting requests helps contain the client,
> but does not limit what files they have access too.
>
> If a user has root on their box, they can of course use chroot, but not
> every person has root, nor the desire to setup a particular user or
> dedicated ssh server for this.
>
> My thought (and implemented) was to add a simple option to sftp-server
> to add a list of files that open is permitted to open.
>
> The code is available at:
> https://www.funkthat.com/gitea/jmg/openssh-portable.git
>
> on the branch sftp-firewall.
>
> I wasn't sure what the best way to submit a patch was, so let me know
> if there is a better way.

Ping, never got a response to this email. Or a direction on where
better to send this.

I'd be nice to at least get a confirmation that OpenSSH devs are not
interested in this patch before I start working on a fork of sftp-server.

--
John-Mark Gurney Voice: +1 415 225 5579

"All that I will do, has been done, All that I have, has not."
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev