Visit Our UNIX and Linux User Community


SFTP Resticting Only Uploading Of A File


 
Thread Tools Search this Thread
Top Forums UNIX for Advanced & Expert Users SFTP Resticting Only Uploading Of A File
# 1  
Old 10-15-2013
SFTP Resticting Only Uploading Of A File

I have setup our SFTP server:

Code:
SFTP Setup:

/etc/ssh/sshd_config:

    Subsystem sftp internal-sftp

    Match Group sftpusers
    PasswordAuthentication yes
    ChrootDirectory /srv/sftponly
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

Adding the sftp group:

    groupadd sftpusers

Creating the only account for SFTP Access

    useradd -d /srv/sftponly -g sftpusers -s /bin/false sftpuser
    passwd sftpuser

Restart openssh:

    /etc/init.d/ssh restart

Setting Permission for the directory

chown root:root /srv ; chown root:root /srv/sftponly ; chmod 755 /srv ; chmod 755 /srv/sftponly

Making a Public Directory:

mkdir /srv/sftponly/public
chown sftpuser:sftpusers /srv/sftponly/public/
chmod 333 /srv/sftponly/public/
ls -ltd
d-wx-wx-wx 2 sftpuser sftpusers 4096 Oct 15 14:51 /srv/sftponly/public/

This allows people to upload a file, doesnt allow you to be able to list anything which is perfect but I need to take it a step further and not allow downloading of anything. So for example, I upload a file called test_file.txt(sensitive data), using SFTP and if someone else knows this filename he can download it by specifyiing the same name. Is it possible to restrict SFTP to only allow uploading of a file, not being able to list anything and ultimately not allowing downloading of anyfile regardless if the name is known?

Last edited by metallica1973; 10-15-2013 at 07:32 PM..
# 2  
Old 10-15-2013
I wonder if you could do this with a default umask for the sftp user.
# 3  
Old 10-16-2013
many thanks for the reply. Could you elaborate. Another option that was mentioned was to create a cron entry to either remove or move the files to another directory
# 4  
Old 10-16-2013
Should you not change the owner of the public directory to root. and set the sticky bit.
As it is now, a sftp user can delete the entire directory.
# 5  
Old 10-18-2013
Ok long story short, I managed to get thing straight with my SFTP server and login. I am still stuck on the umask stuff in preventing a users who uploads a file from allowing another user to download it if they know what the file name is. I have been asked to use only one account to allow users to upload information and prevent others from downloading it. So the goal is to allow an upload of files one time only and thats it. I played around in /etc/ssh/sshd_config:

PHP Code:
  ForceCommand internal-sftp -u 0000 
is this what I need or am I envoking this wrong? or did I read umasking wrong, should it be 777(not allowing any permissions). I get confused with chmod stuff.

http://www.cyberciti.biz/tips/unders...lue-usage.html

So should it be:

PHP Code:
  ForceCommand internal-sftp -u 0777 
I tried that and it did do anything?

Last edited by metallica1973; 10-18-2013 at 04:57 PM..
# 6  
Old 10-21-2013
So that people wont have to go through this pain:

SFTP Setup:

Edit /etc/ssh/sshd_config:

Subsystem sftp internal-sftp

Add the rule to match a group.

Match Group sftpusers
PasswordAuthentication yes
ChrootDirectory /srv/sftponly/public
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp

Add the sftp group:

groupadd sftpusers

Add user:

useradd -d /srv/sftponly/public -g sftpusers -s /bin/false testuser
passwd testuser

Set permissions of directory(chroot path has to be owned by root and only have write access for root!) with whatever public folder having the correct permissions(in this case "testuser" is the public folder with chmod 300 (wx) as the permissions of the folder.

d-wx------ 2 testuser sftpuser 4096 Oct 17 21:11 /srv/sftponly/public/testuser/

Next:

root@SE01:~# chown root:root /srv ; chown root:root /srv/sftponly ; chown root:root /srv/sftponly/public; mkdir /srv/sftponly/public/testuser; chown testuser:sftpuser /svr/sftpuser/public/testuser

root@SE01:~# ls -ldt /srv/
drwxr-xr-x 3 root root 4096 Oct 7 11:10 /srv/
root@SE01:~# ls -ldt /srv/sftponly/
drwxr-xr-x 3 root root 4096 Oct 15 13:56 /srv/sftponly/
root@SE01:~# ls -ldt /srv/sftponly/public/
drwxr-xr-x 3 root root 4096 Oct 17 17:47 /srv/sftponly/public/
root@SE01:~# ls -ldt /srv/sftponly/public/sendus/
d-wx------ 2 testuser sftpuser 4096 Oct 17 21:11 /srv/sftponly/public/testuser/

Finally set the umask for the files that are being uploaded /etc/pam.d/sshd

session optional pam_umask.so umask=0400

Default Directory Permissions 777
Default File Permissions 666

To get file permission that is desired

666-266(umask)= 400 = resulting files of

--w------- 1 testuser sftpusers 5 Oct 21 14:00 blah-blah

Now, start openssh:

/etc/init.d/ssh restart
This User Gave Thanks to metallica1973 For This Post:

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Uploading using sftp file1 copied to file2

Hi All, i am using hp-ux server and doing mput command for uploading the multiple files. below is the code sftp hfjr@usilehrttlsd01.com cd /home/sftp_dir mput kk1 kk2 i am getting Uploading kk1 to /home/sftp_dir/kk2. problem is i am getting kk2 file only not kk1 file. when i am... (13 Replies)
Discussion started by: krupasindhu18
13 Replies

2. Shell Programming and Scripting

Perl , uploading empty file.

Hi The below script used to work fine. Suddenly it's uploading empty file. I am very new to perl. Please help me to find out the problem. #!/usr/bin/perl #script: upload.pl use CGI qw/:standard/; print header, start_html('File upload'); print_form(); print_results() if... (2 Replies)
Discussion started by: Anupam_Halder
2 Replies

3. Shell Programming and Scripting

Shell: uploading file from UNIX server to sharepoint server

Is it possible to upload a file from unix server to sharepoint server through shell or perl scripting. I have the sharepoint link where it needs to be uploaded. Could you please share your views on this ? (0 Replies)
Discussion started by: scriptscript
0 Replies

4. Shell Programming and Scripting

Uploading a file in ftp by culr?

I have ftp url, username and passwd. My file is named app.log. How do I upload this to my ftp server??? I read the manual but I didn't understand much...:cool: (4 Replies)
Discussion started by: hakermania
4 Replies

5. Shell Programming and Scripting

Issue in uploading file using sftp

Hi I'm using this script to upload a file from local system to sftp server. But in the log file i'm getting an error "Error during upload" Can you please help me out ... ### CONFIGURATION LOCAL_DIR=/abc/out FILE_MASK="File*.txt" LOG_DIR=/abc/error/File_`date "+%Y%m%d%H%M%S"`.LOG... (3 Replies)
Discussion started by: Jaychandra
3 Replies

6. UNIX for Dummies Questions & Answers

help uploading directories with SFTP

Hi, I am a newbie and not really familiar with commands, I have searched the forum, but there was only one thread. That thread suggested compressing it and then decompressing it. So I am wondering, what format do I compress it to, and how do I decompress it once I uploaded it from within SFTP... (4 Replies)
Discussion started by: greetea
4 Replies

7. Solaris

Issue With File Permissions while uploading

one of the business users is ftping files into unix box using user name ftp_user, where as i am using infa_user to login into same unix box. When i am trying to access those or copy over those files from upload directory it says permission denied. Though i know the password of ftp_user to... (4 Replies)
Discussion started by: Ariean
4 Replies

8. Linux

resticting user to login using putty on port 21(ftp)

Hi, I am having small query and wheather it is possible ? that user can transfer the files using ftp client examples (filezilla) , but he can not use putty to login using ftp and run the commands, Regards, Manoj (2 Replies)
Discussion started by: manoj.solaris
2 Replies

9. Shell Programming and Scripting

uploading directories via SFTP

Hello All, Is there a way to upload whole directories to a machine using sftp (scp is not an option)? I have to use sftp because the machine that I am connecting to only has SFTP abilities (uploading from a linux box to a windows box). Currently I am automating a copy however right now I am... (2 Replies)
Discussion started by: mab623
2 Replies

10. Shell Programming and Scripting

Uploading a flat file into the database.

I want to upload a text file into the database. what is the command for that? Thanks in Advance. (1 Reply)
Discussion started by: Balkrishna
1 Replies

Featured Tech Videos