Info: Version 1.8.x is available.

Japanese Page

Last modified: $Date: 2015-08-31 22:19:51 +0900 (Mon, 31 Aug 2015) $

Providing download-only / uploadable SFTP service with single user account using environment variable.

About this page

This page explains you how to provide both download-only SFTP service and uploadable SFTP service using single user account. The type of SFTP service (i.e. download-only or uploadable) is determined by environment variables provided by SFTP client, and normal SSH shell access is forbidden if appropriate environment variables are not provided.


Step 1: Creating user account for SFTP service

In this page, we assume the name of user for SFTP service as "sftp".

We assume the shell program for SFTP service as /bin/sftp-shell .

We assume the directory for SFTP service as /var/sftp/ .

We assume the location of SFTP server program as /usr/libexec/openssh/sftp-server .

useradd -s /bin/sftp-shell -d /var/sftp sftp
passwd sftp

Step 2: Creating programs needed for SFTP service

Save the program listed below as /bin/sftp-shell and set executable bit.

#! /bin/sh
[ "$sftp_type" == "ro-sftp" ] && exec /bin/ro-sftp
[ "$sftp_type" == "rw-sftp" ] && exec /bin/rw-sftp
exit 1

Save the program listed below as /bin/rw-sftp and /bin/ro-sftp and set executable bit. (/bin/rw-sftp and /bin/ro-sftp are identical.)

#! /bin/sh
umask 0022
exec /usr/libexec/openssh/sftp-server

Step 3: Making SSH to pass and receive environment variables

Append the name of environment variable which SSH server accepts to /etc/ssh/sshd_config .

AcceptEnv sftp_type

Append the name of environment variable which SSH client sends to /etc/ssh/ssh_config .

SendEnv sftp_type

Step 4: Install and initialize TOMOYO Linux

Install TOMOYO Linux and run below commandline in order to initialize TOMOYO Linux.

/usr/lib/ccs/init_policy

Then, please do below operations before you reboot using TOMOYO Linux kernel.

Append below line to /etc/ccs/exception_policy.conf in order to initialize domain transition when /bin/sftp-shell is executed.

initialize_domain /bin/sftp-shell

Append below lines to /etc/ccs/exception_policy.conf so that we can specify directory for SFTP service recursively.

path_group SFTP_DIRS /var/sftp/\{\*\}/
path_group SFTP_FILES /var/sftp/\{\*\}/\*
path_group SFTP_FILES /var/sftp/\*

Append below lines to /etc/ccs/domain_policy.conf so that we can allow downloading / uploading SFTP contents.

<kernel> /bin/sftp-shell

<kernel> /bin/sftp-shell /bin/ro-sftp /usr/libexec/openssh/sftp-server
allow_read @SFTP_FILES

<kernel> /bin/sftp-shell /bin/rw-sftp /usr/libexec/openssh/sftp-server
allow_read/write @SFTP_FILES
allow_create @SFTP_FILES 0644
allow_unlink @SFTP_FILES
allow_mkdir @SFTP_DIRS 0755
allow_rmdir @SFTP_DIRS
allow_rename @SFTP_FILES @SFTP_FILES
allow_rename @SFTP_DIRS @SFTP_DIRS
allow_truncate @SFTP_FILES

Step 5: Learning and operation

Now, you are ready to start operation. Please reboot using TOMOYO Linux kernel.

Change access control mode to learning mode by assigning profile 1.

/usr/sbin/ccs-setprofile -r 1 '<kernel> /bin/sftp-shell'

Set environment variable "sftp_type" with value "ro-sftp" and access the SFTP server. In this page, we assume the name of SFTP server as "server".

export sftp_type="ro-sftp"
sftp sftp@server

Now, the process belongs to "<kernel> /bin/sftp-shell /bin/ro-sftp /usr/libexec/openssh/sftp-server" domain. Do download operations from this domain. But don't do upload operations from this domain.

Set environment variable "sftp_type" with value "rw-sftp" and access the SFTP server.

export sftp_type="rw-sftp"
sftp sftp@server

Now, the process belongs to "<kernel> /bin/sftp-shell /bin/rw-sftp /usr/libexec/openssh/sftp-server" domain. Do download operations and upload operations from this domain.

Change access control mode to enforcing mode by assigning profile 3.

/usr/sbin/ccs-setprofile -r 3 '<kernel> /bin/sftp-shell'

Save policy files by executing ccs-savepolicy command.

/usr/sbin/ccs-savepolicy

Explanation

We create two domains for sftp-server programs with different parent domain, and we give write permissions to only one domain. Since this program is just an example, we used straightforward environment variables. When you use at real systems, please use unguessable environment variables because these environment variables act as passwords.

If you want to forbid access to files listed using allow_read keyword in the exception policy (e.g. shared libraries), you can specify ignore_global_allow_read directive to the domain policy.

Application idea

You can use environment variable SSH_CLIENT to grant upload access when clients are from specific IP addresses and port numbers, download-only access otherwise.


Return to index page.

sflogo.php