Allow users to download files via SFTP, delete files, but not add or modify

3

I have an SFTP server on CentOS 7.4 (through the standard sshd), and I want to adjust the server so that users can download files in their directory, delete files in their directory, but cannot upload new files or overwrite files.

I can use chmod to set rw, but I don't want users to be able to upload new files or modify them, just download them.

Is there any trick I can use here? (Seems like most people want to block deletions, and allow additions / modifications, I want the opposite.)

I also have SELinux enabled and functioning, if that helps as well.

The closest I've gotten is chmod 555, chown for the user, but then I can't delete the file, only read it. If I chmod 755 to the directory, I can read and delete files, and I cannot modify existing files, but I can still add new files.

Also, appropriate portion of my /etc/ssh/sshd_config:

Match Group sftpusers
    ChrootDirectory /zfspool/sftp/%s
    ForceCommand internal-sftp

Everything else is default. The SFTP server is:

Subsystem    sftp    /user/libexec/openssh/sftp-server

Der Kommissar

Posted 2018-06-29T14:10:19.367

Reputation: 131

Answers

0

You can do this using blacklisting feature of sftp-server, in your sshd_config, set : 

Subsystem       sftp    /usr/libexec/openssh/sftp-server -P write

or alternatively if using internal-sftp:

ForceCommand internal-sftp -P write

You can control allowed requests in white/black list mode, see man sftp-server and sftp-server -Q requests to get the list of available requests on your server.

tonioc

Posted 2018-06-29T14:10:19.367

Reputation: 787

So adding that -P write to my sshd_config didn't work, does it have anything to do with the ForceCommand internal-sftp / chroot? – Der Kommissar – 2018-06-29T18:23:08.910

indeed: updated my answer to move -P write to internal-sftp directive. – tonioc – 2018-06-30T10:43:44.057

Asked: 2018-06-29T14:10:19.367

Viewed: 1 065 times

Active: 2018-06-30T10:42:53.943