Re: Need to tune SFTP access (305 Views)
Reply
Valued Contributor
Sreer
Posts: 222
Registered: ‎07-02-2008
Message 1 of 4 (364 Views)

Need to tune SFTP access

Hello Gurus,

 

I have arequirement for tuning SFTP access.

 

Is it possible to restrict rmdir & rm commands while using via SFTP?

 

It is needed read/write acees but not the rm & rmdir access. Could you please help me?

 

Server is 11.23

 

Rgds

Sree

Honored Contributor
Matti_Kurkela
Posts: 6,271
Registered: ‎12-02-2001
Message 2 of 4 (327 Views)

Re: Need to tune SFTP access

The SFTP server that is included with the standard HP SSH does not allow restricting individual SFTP commands.

 

But if you set "chmod +t" on a directory, it will restrict file deletion within that directory: in a chmod +t directory, you must be the owner of the file or the owner of the directory in order to be able to delete a file, even if you have write access to the directory. This feature is often used in /tmp and/or /var/tmp, but you can use it in any directory if you find it useful.

MK
Valued Contributor
Sreer
Posts: 222
Registered: ‎07-02-2008
Message 3 of 4 (321 Views)

Re: Need to tune SFTP access

Hi Matti,

 

Thanks for help.

 

 

My requirement is even owner also not supposed to delete a file while via sftp!

 

I know it is strange... The scenario is many users are using the common account which is via sftp.

 

Rgds

Sree

Honored Contributor
Matti_Kurkela
Posts: 6,271
Registered: ‎12-02-2001
Message 4 of 4 (305 Views)

Re: Need to tune SFTP access

Looks like the commercial Tectia SSH server (from ssh.com) is somewhat more configurable, but unfortunately it does not have the ability to restrict individual SFTP commands either.

 

In theory, you might get the OpenSSH / HP SSH source code, modify the sftp-server component source code to disable the commands you don't want, and compile a custom sftp-server component for your use. Of course, the requirement for this would be that you or someone else in your organization knows how to program in C.

 

You would also have to modify the sftp-server component to prevent the overwriting of existing files, since overwriting a file with different contents is probably just as bad as deleting it. Right?

 

This kind of setup would also assume that the users never make mistakes and the network never fails in mid-transfer. In my experience, that assumption is rather unrealistic. If the users cannot delete or overwrite any files, they would have to ask someone else to fix it every time they transfer a wrong file or the transmission is interrupted by a network failure.

 

>... many users are using the common account which is via sftp.

 

This is probably the true cause for your problems.

Is it really impossible to assign a separate account for each user?

 

MK
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.