[scponly] scponly and umask
Ken
kbingham at booksurge.com
Tue Mar 31 16:43:40 EDT 2009
The behavior of sftp command 'mkdir' is the same with either shell sh or
scponlyc. The umask of the new dir is determined by the client, and does
not conform to the sftpfilecontrol directive in sshd_config, SftpUmask
0002. Chmod is also possible within the client.
env with /bin/sh:
SFTP_PERMIT_CHOWN=1
SHELL=/bin/sh
SSH_CLIENT=<source IP> <sport> <dport>
USER=kentest
MAIL=/var/mail/kentest
PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
PWD=<$HOME>
SHLVL=1
SFTP_PERMIT_CHMOD=1
HOME=<$HOME>
LOGNAME=kentest
SSH_CONNECTION=<source IP> <sport> <dest IP> <dport>
SFTP_UMASK=
_=/usr/local/libexec/sftp-server
env with /usr/local/sbin/scponlyc:
USER=kentest
SFTP_UMASK=
SFTP_PERMIT_CHMOD=1
SFTP_PERMIT_CHOWN=1
Ken Bingham
SysAdmin, Booksurge
(843) 760-8038 EDT
Kaleb Pederson wrote:
> On Tuesday 31 March 2009 10:32:44 am Ken wrote:
>> Hey Kaleb,
>>
>> By "normal" user I mean having a normal shell, e.g. bash, as opposed to
>> scponly shell. Do you mean something other than either of these two by
>> "test" user?
>
> I assume that you have a test account whose shell you can change arbitrarily for testing purposes. Assuming you do, I'm interested in the behavior differences between the two.
>
> If I understand you correctly, you have examined the environment variables for both shells and found that they are identical. That's a good thing since that implies that what scponly is doing should work with both.
>
> So, knowing the above, I'm trying to determine if the chmod/chown behavior that you see with /bin/sh as opposed to scponly is identical. If the behavior is identical, then we need not look at scponly as the culprit. If the behavior is different, then we need to understand where those differences are coming from.
>
> In looking at the sftpfilecontrol patch, the behavior that you have described seems to match what the environment variables permit, but NOT the behavior that is described in sshd_config, as if the directives in sshd_config are not being interpreted correctly.
>
> Can you test out an account that uses /bin/sh and tell me if the chmod/chown restrictions are in place?
More information about the scponly
mailing list