openssh 3.5p1: PATCH
From: news.verizon.net (michael.martinez81@verizon.net)
Date: 02/11/03
- Next message: news.verizon.net: "Re: sshd, sftp & umask settings (ssh.com 2.4.0)"
- Previous message: news.verizon.net: "Re: sftp file transfer log"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "news.verizon.net" <michael.martinez81@verizon.net> Date: Mon, 10 Feb 2003 23:20:08 GMT
Guys,
The patch below provides the following functionality for openssh:
- sftp transaction logging
- control over whether the client can execute chmod, chown and chgrp
commands
- control over the umask that is applied to uploaded files
These functions are achieved with the following directives in sshd_config:
SftpLog, SftpLogLevel, SftpLogFacility, SftpUmask, SftpPermitChmod,
SftpPermitChown
I made this patch because I a run a secure ftp server at work (Dept. of
Agriculture in D.C.) and needed the extra functionality. Please note that
this patch is entirely my own effort, it's not endorsed by the openssh
developer group or by my employer or by the U.S. Government.
Also note that this patch is a "diff -u" which means you'll need GNU
"patch."
Let me know if works for you.
---------
Only in openssh-3.5p1-sftp_mods/: Makefile
Common subdirectories: openssh-3.5p1/autom4te-2.53.cache and
openssh-3.5p1-sftp_mods/autom4te-2.53.cache
Common subdirectories: openssh-3.5p1/contrib and
openssh-3.5p1-sftp_mods/contrib
Common subdirectories: openssh-3.5p1/openbsd-compat and
openssh-3.5p1-sftp_mods/openbsd-compat
Common subdirectories: openssh-3.5p1/regress and
openssh-3.5p1-sftp_mods/regress
Common subdirectories: openssh-3.5p1/scard and openssh-3.5p1-sftp_mods/scard
diff -u openssh-3.5p1/servconf.c openssh-3.5p1-sftp_mods/servconf.c
--- openssh-3.5p1/servconf.c Thu Sep 5 00:35:15 2002
+++ openssh-3.5p1-sftp_mods/servconf.c Wed Jan 29 09:43:35 2003
@@ -124,6 +124,15 @@
options->authorized_keys_file = NULL;
options->authorized_keys_file2 = NULL;
+ options->log_sftp = LOG_SFTP_NOT_SET;
+ options->sftp_log_facility = SYSLOG_FACILITY_NOT_SET;
+ options->sftp_log_level = SYSLOG_LEVEL_NOT_SET;
+
+ memset(options->sftp_umask, 0, SFTP_UMASK_LENGTH);
+
+ options->sftp_permit_chmod = SFTP_PERMIT_NOT_SET;
+ options->sftp_permit_chown = SFTP_PERMIT_NOT_SET;
+
/* Needs to be accessable in many places */
use_privsep = -1;
}
@@ -131,7 +140,7 @@
void
fill_default_server_options(ServerOptions *options)
{
- /* Portable-specific options */
+/* Portable-specific options */
if (options->pam_authentication_via_kbd_int == -1)
options->pam_authentication_via_kbd_int = 0;
@@ -256,6 +265,24 @@
if (options->authorized_keys_file == NULL)
options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
+ /* Turn sftp-server logging off by default */
+ if (options->log_sftp == LOG_SFTP_NOT_SET)
+ options->log_sftp = LOG_SFTP_NO;
+ if (options->sftp_log_facility == SYSLOG_FACILITY_NOT_SET)
+ options->sftp_log_facility = SYSLOG_FACILITY_AUTH;
+ if (options->sftp_log_level == SYSLOG_LEVEL_NOT_SET)
+ options->sftp_log_level = SYSLOG_LEVEL_INFO;
+
+ /* Don't set sftp-server umask */
+ if (!options->sftp_umask)
+ memset(options->sftp_umask, 0, SFTP_UMASK_LENGTH);
+
+ /* allow sftp client to issue chmod, chown / chgrp commands */
+ if (options->sftp_permit_chmod == SFTP_PERMIT_NOT_SET)
+ options->sftp_permit_chmod = SFTP_PERMIT_YES;
+ if (options->sftp_permit_chown == SFTP_PERMIT_NOT_SET)
+ options->sftp_permit_chown = SFTP_PERMIT_YES;
+
/* Turn privilege separation on by default */
if (use_privsep == -1)
use_privsep = 1;
@@ -302,6 +329,9 @@
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
sUsePrivilegeSeparation,
+ sLogSftp, sSftpLogFacility, sSftpLogLevel,
+ sSftpUmask,
+ sSftpPermitChown, sSftpPermitChmod,
sDeprecated
} ServerOpCodes;
@@ -380,6 +410,12 @@
{ "authorizedkeysfile", sAuthorizedKeysFile },
{ "authorizedkeysfile2", sAuthorizedKeysFile2 },
{ "useprivilegeseparation", sUsePrivilegeSeparation},
+ { "logsftp", sLogSftp},
+ { "sftplogfacility", sSftpLogFacility},
+ { "sftploglevel", sSftpLogLevel},
+ { "sftpumask", sSftpUmask},
+ { "sftppermitchmod", sSftpPermitChmod},
+ { "sftppermitchown", sSftpPermitChown},
{ NULL, sBadOption }
};
@@ -445,6 +481,8 @@
char *cp, **charptr, *arg, *p;
int *intptr, value, i, n;
ServerOpCodes opcode;
+ unsigned int umaskvalue = 0;
+ char *umaskptr;
cp = line;
arg = strdelim(&cp);
@@ -888,6 +926,58 @@
case sBanner:
charptr = &options->banner;
goto parse_filename;
+
+ case sLogSftp:
+ intptr = &options->log_sftp;
+ goto parse_flag;
+
+ case sSftpLogFacility:
+ intptr = (int *) &options->sftp_log_facility;
+ arg = strdelim(&cp);
+ value = log_facility_number(arg);
+ if (value == SYSLOG_FACILITY_NOT_SET)
+ fatal("%.200s line %d: unsupported log facility
'%s'",
+ filename, linenum, arg ? arg : "<NONE>");
+ if (*intptr == -1)
+ *intptr = (SyslogFacility) value;
+ break;
+
+ case sSftpLogLevel:
+ intptr = (int *) &options->sftp_log_level;
+ arg = strdelim(&cp);
+ value = log_level_number(arg);
+ if (value == SYSLOG_LEVEL_NOT_SET)
+ fatal("%.200s line %d: unsupported log level '%s'",
+ filename, linenum, arg ? arg : "<NONE>");
+ if (*intptr == -1)
+ *intptr = (LogLevel) value;
+ break;
+
+ case sSftpUmask:
+ arg = strdelim(&cp);
+ umaskptr = arg;
+ while (*arg && *arg >= '0' && *arg <= '9')
+ umaskvalue = umaskvalue * 8 + *arg++ - '0';
+ if (*arg || umaskvalue > 0777)
+ fatal("%s line %d: bad value for umask",
+ filename, linenum);
+ else {
+ while (*umaskptr && *umaskptr == '0')
+ *umaskptr++;
+ strncpy(options->sftp_umask, umaskptr,
+ SFTP_UMASK_LENGTH);
+ }
+
+ break;
+
+ case sSftpPermitChmod:
+ intptr = &options->sftp_permit_chmod;
+ goto parse_flag;
+
+ case sSftpPermitChown:
+ intptr = &options->sftp_permit_chown;
+ goto parse_flag;
+
/*
* These options can contain %X options expanded at
* connect time, so that you can specify paths like:
@@ -923,6 +1013,7 @@
if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
fatal("%s line %d: garbage at end of line; \"%.200s\".",
filename, linenum, arg);
+
return 0;
}
diff -u openssh-3.5p1/servconf.h openssh-3.5p1-sftp_mods/servconf.h
--- openssh-3.5p1/servconf.h Wed Jul 31 21:28:39 2002
+++ openssh-3.5p1-sftp_mods/servconf.h Wed Jan 29 09:41:06 2003
@@ -32,6 +32,18 @@
#define PERMIT_NO_PASSWD 2
#define PERMIT_YES 3
+/* sftp-server logging */
+#define LOG_SFTP_NOT_SET -1
+#define LOG_SFTP_NO 0
+#define LOG_SFTP_YES 1
+
+/* sftp-server umask control */
+#define SFTP_UMASK_LENGTH 5
+
+/* sftp-server client priviledge */
+#define SFTP_PERMIT_NOT_SET -1
+#define SFTP_PERMIT_NO 0
+#define SFTP_PERMIT_YES 1
typedef struct {
u_int num_ports;
@@ -132,6 +144,13 @@
char *authorized_keys_file; /* File containing public keys */
char *authorized_keys_file2;
int pam_authentication_via_kbd_int;
+ int log_sftp; /* perform sftp-server logging */
+ SyslogFacility sftp_log_facility; /* Facility for sftp subsystem
logging. */
+ LogLevel sftp_log_level; /* Level for sftp subsystem logging.
*/
+ char sftp_umask[SFTP_UMASK_LENGTH]; /* Sftp Umask */
+ int sftp_permit_chmod;
+ int sftp_permit_chown;
+
} ServerOptions;
void initialize_server_options(ServerOptions *);
diff -u openssh-3.5p1/session.c openssh-3.5p1-sftp_mods/session.c
--- openssh-3.5p1/session.c Wed Sep 25 20:38:50 2002
+++ openssh-3.5p1-sftp_mods/session.c Wed Jan 29 09:44:18 2003
@@ -111,6 +111,15 @@
login_cap_t *lc;
#endif
+/* so SFTP_LOG_FACILITY and SFTP_LOG_LEVEL can be passed through the
+ environment to the sftp-server subsystem. */
+static const char *sysfac_to_int[] = { "0", "1", "2", "3", "4", "5", "6",
+ "7", "8", "9", "10", "11", "-1" };
+static const char *syslevel_to_int[] = { "0", "1", "2", "3", "4", "5", "6",
+ "7", "-1" };
+
+static char *sftpumask;
+
/* Name and directory of socket for authentication agent forwarding. */
static char *auth_sock_name = NULL;
static char *auth_sock_dir = NULL;
@@ -957,6 +966,7 @@
env = xmalloc(envsize * sizeof(char *));
env[0] = NULL;
+
#ifdef HAVE_CYGWIN
/*
* The Windows environment contains some setting which are
@@ -1083,6 +1093,67 @@
if (auth_sock_name != NULL)
child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
auth_sock_name);
+
+ /* LOG_SFTP */
+ if (options.log_sftp == -1 )
+ child_set_env(&env, &envsize, "LOG_SFTP", "-1");
+ else if (options.log_sftp == 0)
+ child_set_env(&env, &envsize, "LOG_SFTP", "0");
+ else
+ child_set_env(&env, &envsize, "LOG_SFTP", "1");
+
+ /* SFTP_LOG_FACILITY */
+ if (options.sftp_log_facility < 0)
+ child_set_env(&env, &envsize, "SFTP_LOG_FACILITY",
+ "-1");
+ else
+ child_set_env(&env, &envsize, "SFTP_LOG_FACILITY",
+ sysfac_to_int[options.sftp_log_facility]);
+
+ /* SFTP_LOG_LEVEL */
+ if (options.sftp_log_level < 0)
+ child_set_env(&env, &envsize, "SFTP_LOG_LEVEL",
+ "-1");
+ else
+ child_set_env(&env, &envsize, "SFTP_LOG_LEVEL",
+ syslevel_to_int[options.sftp_log_level]);
+
+ /* SFTP_UMASK */
+
+ if (options.sftp_umask[0] == '\0')
+ child_set_env(&env, &envsize, "SFTP_UMASK",
+ "" );
+ else {
+ if (!(sftpumask = calloc(SFTP_UMASK_LENGTH,1))) {
+
+log("session.c: unabled to allocate memory for SftpUmask. SftpUmask control
+will be turned off.");
+
+ child_set_env(&env, &envsize, "SFTP_UMASK",
+ "" );
+ } else {
+ strncpy(sftpumask, options.sftp_umask,
+ SFTP_UMASK_LENGTH);
+ child_set_env(&env, &envsize, "SFTP_UMASK",
+ sftpumask );
+ }
+ }
+
+ /* SFTP_PERMIT_CHMOD */
+ if (options.sftp_permit_chmod == -1 )
+ child_set_env(&env, &envsize, "SFTP_PERMIT_CHMOD", "-1");
+ else if (options.sftp_permit_chmod == 0)
+ child_set_env(&env, &envsize, "SFTP_PERMIT_CHMOD", "0");
+ else
+ child_set_env(&env, &envsize, "SFTP_PERMIT_CHMOD", "1");
+
+ /* SFTP_PERMIT_CHOWN */
+ if (options.sftp_permit_chown == -1 )
+ child_set_env(&env, &envsize, "SFTP_PERMIT_CHOWN", "-1");
+ else if (options.sftp_permit_chown == 0)
+ child_set_env(&env, &envsize, "SFTP_PERMIT_CHOWN", "0");
+ else
+ child_set_env(&env, &envsize, "SFTP_PERMIT_CHOWN", "1");
/* read $HOME/.ssh/environment. */
if (options.permit_user_env && !options.use_login) {
diff -u openssh-3.5p1/sftp-server.8 openssh-3.5p1-sftp_mods/sftp-server.8
--- openssh-3.5p1/sftp-server.8 Mon Jun 25 00:45:35 2001
+++ openssh-3.5p1-sftp_mods/sftp-server.8 Wed Jan 29 10:11:28 2003
@@ -42,11 +42,26 @@
option.
See
.Xr sshd 8
+for more information. Sftp-server transactions may be logged
+using the
+.Cm LogSftp ,
+.Cm SftpLogFacility ,
+and
+.Cm SftpLogLevel
+options. The administrator may exert control over the file and directory
+permission and ownership, with
+.Cm SftpUmask ,
+.Cm SftpPermitChmod ,
+and
+.Cm SftpPermitChown
+. See
+.Xr sshd_config 5
for more information.
.Sh SEE ALSO
.Xr sftp 1 ,
.Xr ssh 1 ,
-.Xr sshd 8
+.Xr sshd 8,
+.Xr sshd_config 5
.Rs
.%A T. Ylonen
.%A S. Lehtinen
diff -u openssh-3.5p1/sftp-server.c openssh-3.5p1-sftp_mods/sftp-server.c
--- openssh-3.5p1/sftp-server.c Wed Sep 11 19:54:27 2002
+++ openssh-3.5p1-sftp_mods/sftp-server.c Wed Jan 29 09:40:25 2003
@@ -39,6 +39,12 @@
#define get_string(lenp) buffer_get_string(&iqueue, lenp);
#define TRACE debug
+/* SFTP_UMASK */
+static mode_t setumask = 0;
+
+static int permit_chmod = 1;
+static int permit_chown = 1;
+
#ifdef HAVE___PROGNAME
extern char *__progname;
#else
@@ -391,6 +397,13 @@
a = get_attrib();
flags = flags_from_portable(pflags);
mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a->perm : 0666;
+
+ if (setumask != 0) {
+ log("setting file creation mode to 0666 and umask to %o", setumask);
+ mode = 0666;
+ umask(setumask);
+ }
+
TRACE("open id %u name %s flags %d mode 0%o", id, name, pflags, mode);
fd = open(name, flags, mode);
if (fd < 0) {
@@ -404,6 +417,7 @@
status = SSH2_FX_OK;
}
}
+ log("open %s", name);
if (status != SSH2_FX_OK)
send_status(id, status);
xfree(name);
@@ -459,6 +473,7 @@
}
}
}
+ log("reading file");
if (status != SSH2_FX_OK)
send_status(id, status);
}
@@ -497,6 +512,7 @@
}
}
}
+ log("writing file");
send_status(id, status);
xfree(data);
}
@@ -589,24 +605,40 @@
a = get_attrib();
TRACE("setstat id %u name %s", id, name);
if (a->flags & SSH2_FILEXFER_ATTR_SIZE) {
+log("process_setstat: truncate");
ret = truncate(name, a->size);
if (ret == -1)
status = errno_to_portable(errno);
}
if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) {
- ret = chmod(name, a->perm & 0777);
- if (ret == -1)
- status = errno_to_portable(errno);
+ if (permit_chmod == 1) {
+ ret = chmod(name, a->perm & 0777);
+ if (ret == -1)
+ status = errno_to_portable(errno);
+ else
+ log("chmod'ed %s", name);
+ } else {
+ status = SSH2_FX_PERMISSION_DENIED;
+ log("chmod %s: operation prohibited by sftp-server configuration.", name);
+ }
}
if (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME) {
+log("process_setstat: utimes");
ret = utimes(name, attrib_to_tv(a));
if (ret == -1)
status = errno_to_portable(errno);
}
if (a->flags & SSH2_FILEXFER_ATTR_UIDGID) {
- ret = chown(name, a->uid, a->gid);
- if (ret == -1)
- status = errno_to_portable(errno);
+ if (permit_chown == 1) {
+ ret = chown(name, a->uid, a->gid);
+ if (ret == -1)
+ status = errno_to_portable(errno);
+ else
+ log("chown'ed %s.", name);
+ } else {
+ status = SSH2_FX_PERMISSION_DENIED;
+ log("chown %s: operation prohibited by sftp-server configuration.", name);
+ }
}
send_status(id, status);
xfree(name);
@@ -621,6 +653,8 @@
int status = SSH2_FX_OK;
char *name;
+log("process_fsetstat");
+
id = get_int();
handle = get_handle();
a = get_attrib();
@@ -631,20 +665,29 @@
status = SSH2_FX_FAILURE;
} else {
if (a->flags & SSH2_FILEXFER_ATTR_SIZE) {
+log("process_fsetstat: ftruncate");
ret = ftruncate(fd, a->size);
if (ret == -1)
status = errno_to_portable(errno);
}
if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) {
+ if (permit_chmod == 1) {
#ifdef HAVE_FCHMOD
- ret = fchmod(fd, a->perm & 0777);
+ ret = fchmod(fd, a->perm & 0777);
#else
- ret = chmod(name, a->perm & 0777);
+ ret = chmod(name, a->perm & 0777);
#endif
- if (ret == -1)
- status = errno_to_portable(errno);
+ if (ret == -1)
+ status = errno_to_portable(errno);
+ else
+ log("chmod: succeeded.");
+ } else {
+ status = SSH2_FX_PERMISSION_DENIED;
+ log("chmod: operation prohibited by sftp-server configuration.");
+ }
}
if (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME) {
+log("process_fsetstat: utimes");
#ifdef HAVE_FUTIMES
ret = futimes(fd, attrib_to_tv(a));
#else
@@ -654,13 +697,20 @@
status = errno_to_portable(errno);
}
if (a->flags & SSH2_FILEXFER_ATTR_UIDGID) {
+ if (permit_chown == 1) {
#ifdef HAVE_FCHOWN
- ret = fchown(fd, a->uid, a->gid);
+ ret = fchown(fd, a->uid, a->gid);
#else
- ret = chown(name, a->uid, a->gid);
+ ret = chown(name, a->uid, a->gid);
#endif
- if (ret == -1)
- status = errno_to_portable(errno);
+ if (ret == -1)
+ status = errno_to_portable(errno);
+ else
+ log("chown: succeeded");
+ } else {
+ status = SSH2_FX_PERMISSION_DENIED;
+ log("chown: operation prohibited by sftp-server configuration.");
+ }
}
}
send_status(id, status);
@@ -690,6 +740,7 @@
}
}
+ log("opendir %s", path);
if (status != SSH2_FX_OK)
send_status(id, status);
xfree(path);
@@ -763,6 +814,7 @@
TRACE("remove id %u name %s", id, name);
ret = unlink(name);
status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
+ log("remove file %s", name);
send_status(id, status);
xfree(name);
}
@@ -780,9 +832,17 @@
a = get_attrib();
mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ?
a->perm & 0777 : 0777;
+
+ if (setumask != 0) {
+ log("setting directory creation mode to 0777 and umask to
%o.", setumask);
+ mode = 0777;
+ umask(setumask);
+ }
+
TRACE("mkdir id %u name %s mode 0%o", id, name, mode);
ret = mkdir(name, mode);
status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
+ log("mkdir %s", name);
send_status(id, status);
xfree(name);
}
@@ -799,6 +859,7 @@
TRACE("rmdir id %u name %s", id, name);
ret = rmdir(name);
status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
+ log("rmdir %s", name);
send_status(id, status);
xfree(name);
}
@@ -825,6 +886,7 @@
s.name = s.long_name = resolvedname;
send_names(id, 1, &s);
}
+ log("realpath %s", path);
xfree(path);
}
@@ -846,6 +908,7 @@
status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
}
send_status(id, status);
+ log("rename old %s new %s", oldpath, newpath);
xfree(oldpath);
xfree(newpath);
}
@@ -871,6 +934,7 @@
s.name = s.long_name = link;
send_names(id, 1, &s);
}
+ log("readlink %s", path);
xfree(path);
}
@@ -892,6 +956,7 @@
status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
}
send_status(id, status);
+ log("symlink old %s new %s", oldpath, newpath);
xfree(oldpath);
xfree(newpath);
}
@@ -1013,6 +1078,8 @@
{
fd_set *rset, *wset;
int in, out, max;
+ unsigned int val = 0;
+ char *umask_env;
ssize_t len, olen, set_size;
/* XXX should use getopt */
@@ -1020,10 +1087,45 @@
__progname = get_progname(av[0]);
handle_init();
+ /* Transaction logging */
+
+ if (atoi(getenv("LOG_SFTP")) == 1)
+ log_init("sftp-server", atoi(getenv("SFTP_LOG_LEVEL")),
+ atoi(getenv("SFTP_LOG_FACILITY")), 0);
+
+
#ifdef DEBUG_SFTP_SERVER
log_init("sftp-server", SYSLOG_LEVEL_DEBUG1, SYSLOG_FACILITY_AUTH, 0);
#endif
+ log("Starting sftp-server logging for user %s.", getenv("USER"));
+
+ /* Umask control */
+
+ umask_env = getenv("SFTP_UMASK");
+ while (*umask_env && *umask_env >= '0' && *umask_env <= '9')
+ val = val * 8 + *umask_env++ - '0';
+
+ if (*umask_env || val > 0777 || val == 0) {
+ log("bad value %o for SFTP_UMASK, turning umask control off.", val);
+ setumask = 0;
+ } else {
+ log("umask control is on.");
+ setumask = val;
+ };
+
+
+ /* Sensitive client commands */
+
+ if (atoi(getenv("SFTP_PERMIT_CHMOD")) != 1) {
+ permit_chmod = 0;
+ log("client is not permitted to chmod.");
+ };
+ if (atoi(getenv("SFTP_PERMIT_CHOWN")) != 1) {
+ permit_chown = 0;
+ log("client is not permitted to chown.");
+ };
+
in = dup(STDIN_FILENO);
out = dup(STDOUT_FILENO);
@@ -1066,6 +1168,7 @@
len = read(in, buf, sizeof buf);
if (len == 0) {
debug("read eof");
+ log("sftp-server finished.");
exit(0);
} else if (len < 0) {
error("read error");
Only in openssh-3.5p1-sftp_mods/: ssh_prng_cmds
diff -u openssh-3.5p1/sshd_config openssh-3.5p1-sftp_mods/sshd_config
--- openssh-3.5p1/sshd_config Thu Sep 26 23:21:58 2002
+++ openssh-3.5p1-sftp_mods/sshd_config Wed Jan 29 10:08:39 2003
@@ -91,3 +91,14 @@
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
+
+# sftp-server logging
+#LogSftp no
+#SftpLogFacility AUTH
+#SftpLogLevel INFO
+
+# sftp-server umask control
+#SftpUmask
+
+#SftpPermitChmod yes
+#SftpPermitChown yes
diff -u openssh-3.5p1/sshd_config.5 openssh-3.5p1-sftp_mods/sshd_config.5
--- openssh-3.5p1/sshd_config.5 Wed Sep 18 21:51:22 2002
+++ openssh-3.5p1-sftp_mods/sshd_config.5 Wed Jan 29 10:10:03 2003
@@ -389,6 +389,10 @@
and DEBUG3 each specify higher levels of debugging output.
Logging with a DEBUG level violates the privacy of users
and is not recommended.
+.It Cm LogSftp
+Specifies whether to perform logging of
+.Nm sftp-server
+subsystem transactions. Must be "yes" or "no." The default value is "no."
.It Cm MACs
Specifies the available MAC (message authentication code) algorithms.
The MAC algorithm is used in protocol version 2
@@ -558,6 +562,37 @@
.It Cm ServerKeyBits
Defines the number of bits in the ephemeral protocol version 1 server key.
The minimum value is 512, and the default is 768.
+.It Cm SftpLogFacility
+Gives the facility code that is used when logging
+.Nm sftp-server .
+transactions. The possible values are: DAEMON, USER, AUTH, LOCAL0,
+LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+The default is AUTH.
+.It Cm SftpLogLevel
+Gives the verbosity level that is used when logging messages from
+.Nm sftp-server .
+The possible values are:
+QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.
+The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2
+and DEBUG3 each specify higher levels of debugging output.
+Logging with a DEBUG level violates the privacy of users
+and is not recommended.
+.It Cm SftpPermitChmod
+Specifies whether the sftp-server allows the sftp client to execute chmod
+commands on the server. The default is yes.
+.It Cm SftpPermitChown
+Specifies whether the sftp-server allows the sftp client to execute chown
+or chgrp commands on the server. Turning this value on means that the
client
+is allowed to execute both chown and chgrp commands. Turning it off means
that
+the client is prohibited from executing either chown or chgrp.
+ The default is yes.
+.It Cm SftpUmask
+Specifies an optional umask for
+.Nm sftp-server
+subsystem transactions. If a umask is given, this umask will override all
system,
+environment or sftp client permission modes. If
+no umask or an invalid umask is given, file creation mode defaults to the
permission
+mode specified by the sftp client. The default is for no umask.
.It Cm StrictModes
Specifies whether
.Nm sshd
-- Michael
- Next message: news.verizon.net: "Re: sshd, sftp & umask settings (ssh.com 2.4.0)"
- Previous message: news.verizon.net: "Re: sftp file transfer log"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
