Re: Need to tune SFTP access (247 Views)
Reply
Valued Contributor
Sreer
Posts: 222
Registered: ‎07-02-2008
Message 1 of 4 (306 Views)

Need to tune SFTP access

Hello Gurus,

 

I have arequirement for tuning SFTP access.

 

Is it possible to restrict rmdir & rm commands while using via SFTP?

 

It is needed read/write acees but not the rm & rmdir access. Could you please help me?

 

Server is 11.23

 

Rgds

Sree

Please use plain text.
Honored Contributor
Matti_Kurkela
Posts: 6,271
Registered: ‎12-02-2001
Message 2 of 4 (269 Views)

Re: Need to tune SFTP access

The SFTP server that is included with the standard HP SSH does not allow restricting individual SFTP commands.

 

But if you set "chmod +t" on a directory, it will restrict file deletion within that directory: in a chmod +t directory, you must be the owner of the file or the owner of the directory in order to be able to delete a file, even if you have write access to the directory. This feature is often used in /tmp and/or /var/tmp, but you can use it in any directory if you find it useful.

MK
Please use plain text.
Valued Contributor
Sreer
Posts: 222
Registered: ‎07-02-2008
Message 3 of 4 (263 Views)

Re: Need to tune SFTP access

Hi Matti,

 

Thanks for help.

 

 

My requirement is even owner also not supposed to delete a file while via sftp!

 

I know it is strange... The scenario is many users are using the common account which is via sftp.

 

Rgds

Sree

Please use plain text.
Honored Contributor
Matti_Kurkela
Posts: 6,271
Registered: ‎12-02-2001
Message 4 of 4 (247 Views)

Re: Need to tune SFTP access

Looks like the commercial Tectia SSH server (from ssh.com) is somewhat more configurable, but unfortunately it does not have the ability to restrict individual SFTP commands either.

 

In theory, you might get the OpenSSH / HP SSH source code, modify the sftp-server component source code to disable the commands you don't want, and compile a custom sftp-server component for your use. Of course, the requirement for this would be that you or someone else in your organization knows how to program in C.

 

You would also have to modify the sftp-server component to prevent the overwriting of existing files, since overwriting a file with different contents is probably just as bad as deleting it. Right?

 

This kind of setup would also assume that the users never make mistakes and the network never fails in mid-transfer. In my experience, that assumption is rather unrealistic. If the users cannot delete or overwrite any files, they would have to ask someone else to fix it every time they transfer a wrong file or the transmission is interrupted by a network failure.

 

>... many users are using the common account which is via sftp.

 

This is probably the true cause for your problems.

Is it really impossible to assign a separate account for each user?

 

MK
Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation