[scponly] scponly and umask

Tue Mar 31 16:54:24 EDT 2009

On Tue, Mar 31, 2009 at 1:43 PM, Ken <kbingham at booksurge.com> wrote:
> The behavior of sftp command 'mkdir' is the same with either shell sh or
> scponlyc. The umask of the new dir is determined by the client, and does
> not conform to the sftpfilecontrol directive in sshd_config, SftpUmask
> 0002. Chmod is also possible within the client.

That's what I thought.  So, for some reason ssh is not pickup up the
values from sshd_config correctly (maybe it wasn't restarted, maybe it
wasn't correctly patched, etc.).

SFTP_PERMIT_CHMOD should be 0, as should SFTP_PERMIT_CHOWN.  I didn't
bother checking the umask environment variable, but if you can read
source code you could look through the patch and determine what it
should be set too as well.

You'll need to figure out how to make the sftp file controls work in a
normal shell using the sftpfilecontrol patch.  Once you have it
working in a normal shell, then you can switch over to the scponly
pseudo-shell and hopefully everything will just work at that point.

--Kaleb

> env with /bin/sh:
> SFTP_PERMIT_CHOWN=1
> SHELL=/bin/sh
> SSH_CLIENT=<source IP> <sport> <dport>
> USER=kentest
> MAIL=/var/mail/kentest
> PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
> PWD=<$HOME>
> SHLVL=1
> SFTP_PERMIT_CHMOD=1
> HOME=<$HOME>
> LOGNAME=kentest
> SSH_CONNECTION=<source IP> <sport> <dest IP> <dport>
> SFTP_UMASK=
> _=/usr/local/libexec/sftp-server
>
> env with /usr/local/sbin/scponlyc:
> USER=kentest
> SFTP_UMASK=
> SFTP_PERMIT_CHMOD=1
> SFTP_PERMIT_CHOWN=1
>
>
> Ken Bingham
> SysAdmin, Booksurge
> (843) 760-8038 EDT
>
>
>
> Kaleb Pederson wrote:
>> On Tuesday 31 March 2009 10:32:44 am Ken wrote:
>>> Hey Kaleb,
>>>
>>> By "normal" user I mean having a normal shell, e.g. bash, as opposed to
>>> scponly shell. Do you mean something other than either of these two by
>>> "test" user?
>>
>> I assume that you have a test account whose shell you can change arbitrarily for testing purposes.  Assuming you do, I'm interested in the behavior differences between the two.
>>
>> If I understand you correctly, you have examined the environment variables for both shells and found that they are identical.  That's a good thing since that implies that what scponly is doing should work with both.
>>
>> So, knowing the above, I'm trying to determine if the chmod/chown behavior that you see with /bin/sh as opposed to scponly is identical.  If the behavior is identical, then we need not look at scponly as the culprit.  If the behavior is different, then we need to understand where those differences are coming from.
>>
>> In looking at the sftpfilecontrol patch, the behavior that you have described seems to match what the environment variables permit, but NOT the behavior that is described in sshd_config, as if the directives in sshd_config are not being interpreted correctly.
>>
>> Can you test out an account that uses /bin/sh and tell me if the chmod/chown restrictions are in place?
>
>
>
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly
>