Linux – Denying timestamp modification on SFTP server

filesystemslinuxsftp

I have a linux SFTP server which I use to share files with other people.

There is a script that automatically find and delete files uploaded more than 10 days ago:

find . -not -path . -mtime +10 -exec rm -frv {} \;

I've noticed that some SFTP clients preserve last modified date, causing the script to delete the files sooner than expected.

For instance, if Today is 15th of December, and a client upload a file that he modified on his computer on the 1st of December, the file gets deleted immediately, instead of the 25th of December.

So, how can I deny the clients to change last modified attribute after the upload?

Best Answer

The sftp-server (and the compatible internal-sftp) has the -P and -p switches to black/white list certain SFTP requests.

You can use them to disallow setstat and fsetstat requests:

Subsystem sftp internal-sftp -P setstat,fsetstat

Note that this will disallow also permissions (and other attributes) changes.

You can of course do this per-user (or per other criteria) using the Match directive.

Related Solutions

Linux Shell – Script to Delete Files Older Than 30 Days

Assuming you really need to be using find in order to recurse through subdirectories:

find /export/home/ftp \( -name console.log -or -name server.log \) -mtime +30 -exec rm -f {} +

Ssh – Upload only SFTP with OpenSSH and Linux

ProFTPd definitely supports an ssh-emulation mode for sftp use, and I'm fairly sure it will have the usual array of ftpd-normal config options for forcing ownerships, controlling uploads, and the like. I think it would definitely be worth a look for your use. I can't help with the ftpd upload-only config, but here's my config code for getting the SFTP support:

LoadModule mod_sftp.c

<VirtualHost 12.34.56.78>
  SFTPEngine            on
  Port                  443
  SFTPLog               /var/tmp/proftpd-sftp.log
  SFTPHostKey           /etc/ssh/ssh_host_rsa_key
  SFTPHostKey           /etc/ssh/ssh_host_dsa_key
  DefaultRoot           /home/testuser
<Limit LOGIN>
  AllowGroup            sftponly
  DenyAll
</Limit>
</VirtualHost>

The Port 443 was because we already had sshd running on port 22, plus we had to support a bunch of clients behind a variety of deeply-stupid firewalls, and port 443 is about the only destination that almost all sites allow unencumbered. There's some other stuff there about limiting access to one group of users and chrooting them all into the same place, which you probably won't need, but I include it because I can affirm that that config works as-is.

Best Answer

Related Solutions

Linux Shell – Script to Delete Files Older Than 30 Days

Ssh – Upload only SFTP with OpenSSH and Linux

Related Topic