Ssh – Upload only SFTP with OpenSSH and Linux

setuidsftpssh

I'd like to set up a chrooted SFTP server with upload only privileges.

Back in the day, I know I've done this with FTP on FreeBSD through the use of SETUID. All uploaded files were automatically owned by root with others having write only permission. I've learned that this method does not work on Linux (please correct me if I'm wrong).

I've also come across some FTP daemons allowing this by setting a umask for uploaded files and denying the use of chmod.

The closest I've come is the following:

  • Set a umask in /etc/pam.d/sshd so that uploaded files are automatically created with write only permissions (eg. 0222). This is great, except OpenSSH allows the user to chmod any file so that he can than download any uplaoded file. I can't find a way to block the use of the chmod command – it seems to be an internal command and changing /bin/chmod to 0700 doesn't block users from running chmod..
  • Use Gamin or a cronjob and write a script to automatically change ownership of files as they are created. This feels like a bit of a hack and relies on a script to be running correctly and feels like too much of a hack and a bit complex for what I need.

I'm running RHEL 6 with OpenSSH 5.3p1.

The point of this is to have one SFTP account that can be securely shared among 50 individuals to deliver files to the server rather than creating 50 SFTP accounts.

Best Answer

ProFTPd definitely supports an ssh-emulation mode for sftp use, and I'm fairly sure it will have the usual array of ftpd-normal config options for forcing ownerships, controlling uploads, and the like. I think it would definitely be worth a look for your use. I can't help with the ftpd upload-only config, but here's my config code for getting the SFTP support:

LoadModule mod_sftp.c

<VirtualHost 12.34.56.78>
  SFTPEngine            on
  Port                  443
  SFTPLog               /var/tmp/proftpd-sftp.log
  SFTPHostKey           /etc/ssh/ssh_host_rsa_key
  SFTPHostKey           /etc/ssh/ssh_host_dsa_key
  DefaultRoot           /home/testuser
<Limit LOGIN>
  AllowGroup            sftponly
  DenyAll
</Limit>
</VirtualHost>

The Port 443 was because we already had sshd running on port 22, plus we had to support a bunch of clients behind a variety of deeply-stupid firewalls, and port 443 is about the only destination that almost all sites allow unencumbered. There's some other stuff there about limiting access to one group of users and chrooting them all into the same place, which you probably won't need, but I include it because I can affirm that that config works as-is.

Related Topic