How can I disable some commands in SFTP?

Question

How can I disable some commands in SFTP for my clients, like ln & symlink?

I've checked man sftp, but didn't find what I'm searching for.

As Michael Hampton said, this doesn't make sense. The only thing I can think to do is disallow access to those commands with Linux ACLs from the users that log onto your server via SFTP and/or, depending if you're running SFTP in a chroot jail, the specific user that is running SFTP. — cerberus, Mar 04 '17 at 04:15

Martin Prikryl · Answer 1 · 2017-09-12T15:52:52.153

4

You did not specify, what SFTP server are you using. I'm assuming the OpenSSH.

The sftp-server (and the compatible internal-sftp) has the -P and -p switches to black/white list certain SFTP requests.

You can use them to disallow the symlink requests:

Subsystem sftp internal-sftp -P symlink

edited Sep 12 '17 at 15:52

answered Mar 04 '17 at 06:30

Martin Prikryl

7,930

I've tried this, but it doesn't work. – user134969 Mar 04 '17 at 21:21
2

What did you try? What does not work? What does it do instead? What version of OpenSSH are you using? – Martin Prikryl Mar 05 '17 at 06:44
Doesn't work a specific user as it is not usable in a Match block – Erdal G. Aug 24 '17 at 12:44
@ErdalG. You are right. I've removed that part. You can use ForceCommand though (but that would disallow shell access, what you actually want to do anyway probably, if you want to limit what user can do). – Martin Prikryl Aug 24 '17 at 12:49

score 0 · Answer 2 · edited May 11 '19 at 00:12

0

You can only pass args to the sftp command when using ForceCommand, not Subsystem. If you do what the other answer says, the -P arg will be silently ignored!

The correct way:

Subsystem sftp internal-sftp

ForceCommand internal-sftp -P symlink

(you possibly also want to put a Match block around the second line)

edited May 11 '19 at 00:12

womble

97,049

answered May 10 '19 at 23:32

rufo

31

How can I disable some commands in SFTP?

2 Answers2