Re: sftp and directory group writable
- From: "Richard E. Silverman" <res@xxxxxxxx>
- Date: 11 Dec 2007 12:05:00 -0500
We have a server that has a client connecting to using sftp to get a
file that is put there by the mainframe. The client has requested that
the group write permission be removed from the directory they connect to
for security reasons, I understand this, doing this however requires
that changes be made on the mainframe which the mainframe folks are
hesistant to do. Or making changes on the server which I'm
hesistant to do as it's only this client that is using sftp.
Am I correct in my understanding that sftp will work with the group
writable bit set on the directory? The only people in the group that
they are concerned about is them and the mainframe account.
sftp itself doesn't care about this bit explicitly, though of course it
will be subject to the corresponding file access restrictions just like
any other process. If the directory in question is the home directory of
the login account, however, then SSH (the transport under sftp) *does*
care. If you're using SSH publickey authentication, then by default it
will not work if any of ~, ~/.ssh, or ~/.ssh/authorized_keys are group or
other-writable. You can control this with the StrictModes option to sshd.