Otdfbt

Mysterious procedure calls without parameters - but no exceptions generated

Beginner looking to learn/master musical theory and instrumental ability. Where should I begin?

Did this character show any indication of wanting to rule before S8E6?

Why A=2 and B=1 in the call signs for Spirit and Opportunity?

Popcorn is the only acceptable snack to consume while watching a movie

Take elements from a list based on two criteria

What is the meaning of "<&3" and "done < file11 3< file22"

What Armor Optimization applies to a Mithral full plate?

The art of clickbait captions

Why didn't Thanos use the Time Stone to stop the Avengers' plan?

Of strange atmospheres - the survivable but unbreathable

What did the 'turbo' button actually do?

Is it truly impossible to tell what a CPU is doing?

Why do Russians almost not use verbs of possession akin to "have"?

Why does this if statement return true

How can I make an argument that my time is valuable?

Best material to absorb as much light as possible

How do I superimpose two math symbols?

Python program to take in two strings and print the larger string

Shorten or merge multiple lines of `&> /dev/null &`

Why are GND pads often only connected by four traces?

Why haven't we yet tried accelerating a space station with people inside to a near light speed?

What was the idiom for something that we take without a doubt?

What is the use case for non-breathable waterproof pants?

How can I disable some commands in SFTP?

SFTP logging: is there a way?Where can I find logs for SFTP?Passwordless sftp upload commands not executed using a shell scriptHow to disable sftp for some users, but keep ssh enabled?Allow SFTP but disallow SSH?SSH - cannot start sftp-server when trying to force internal sftpDisable chmod in openssh-serverhow to create sftp accountHow to disable sftp access to user with ssh already disabled (user shell = /bin/false, but connection still works with sftp)How can I disable sftp temporarily without reloading the service?

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

2

1

How can I disable some commands in SFTP for my clients, like ln & symlink?

I've checked man sftp, but didn't find what I'm searching for.

sftp

share|improve this question

asked Mar 4 '17 at 3:25

user134969user134969

1851313

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  This doesn't make much sense. Why do you want to do this?
  
  – Michael Hampton♦
  Mar 4 '17 at 3:32
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  As Michael Hampton said, this doesn't make sense. The only thing I can think to do is disallow access to those commands with Linux ACLs from the users that log onto your server via SFTP and/or, depending if you're running SFTP in a chroot jail, the specific user that is running SFTP.
  
  – cerberus
  Mar 4 '17 at 4:15
  

  
  
  
  

add a comment | 

2

1

How can I disable some commands in SFTP for my clients, like ln & symlink?

I've checked man sftp, but didn't find what I'm searching for.

sftp

share|improve this question

asked Mar 4 '17 at 3:25

user134969user134969

1851313

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  This doesn't make much sense. Why do you want to do this?
  
  – Michael Hampton♦
  Mar 4 '17 at 3:32
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  As Michael Hampton said, this doesn't make sense. The only thing I can think to do is disallow access to those commands with Linux ACLs from the users that log onto your server via SFTP and/or, depending if you're running SFTP in a chroot jail, the specific user that is running SFTP.
  
  – cerberus
  Mar 4 '17 at 4:15
  

  
  
  
  

add a comment | 

How can I disable some commands in SFTP for my clients, like ln & symlink?

I've checked man sftp, but didn't find what I'm searching for.

sftp

share|improve this question

asked Mar 4 '17 at 3:25

user134969user134969

1851313

share|improve this question

asked Mar 4 '17 at 3:25

user134969user134969

1851313

share|improve this question

asked Mar 4 '17 at 3:25

user134969user134969

1851313

asked Mar 4 '17 at 3:25

user134969user134969

1851313

asked Mar 4 '17 at 3:25

user134969user134969

1851313

2 Answers
2

active

oldest

votes

5

You did not specify, what SFTP server are you using. I'm assuming the OpenSSH.

The sftp-server (and the compatible internal-sftp) has the -P and -p switches to black/white list certain SFTP requests.

You can use them to disallow the symlink requests:

Subsystem sftp internal-sftp -P symlink

share|improve this answer

edited Sep 12 '17 at 15:52

answered Mar 4 '17 at 6:30

Martin PrikrylMartin Prikryl

5,3642660

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I've tried this, but it doesn't work.
  
  – user134969
  Mar 4 '17 at 21:21
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  What did you try? What does not work? What does it do instead? What version of OpenSSH are you using?
  
  – Martin Prikryl
  Mar 5 '17 at 6:44
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Doesn't work a specific user as it is not usable in a Match block
  
  – Erdal G.
  Aug 24 '17 at 12:44
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @ErdalG. You are right. I've removed that part. You can use ForceCommand though (but that would disallow shell access, what you actually want to do anyway probably, if you want to limit what user can do).
  
  – Martin Prikryl
  Aug 24 '17 at 12:49
  

  
  
  
  

add a comment | 

0

You can only pass args to the sftp command when using ForceCommand, not Subsystem. If you do what the other answer says, the -P arg will be silently ignored!

The correct way:

Subsystem sftp internal-sftp

ForceCommand internal-sftp -P symlink

(you possibly also want to put a Match block around the second line)

share|improve this answer

edited May 11 at 0:12

womble♦

86.3k18147205

answered May 10 at 23:32

ruforufo

312

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f836212%2fhow-can-i-disable-some-commands-in-sftp%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

5

You did not specify, what SFTP server are you using. I'm assuming the OpenSSH.

The sftp-server (and the compatible internal-sftp) has the -P and -p switches to black/white list certain SFTP requests.

You can use them to disallow the symlink requests:

Subsystem sftp internal-sftp -P symlink

share|improve this answer

edited Sep 12 '17 at 15:52

answered Mar 4 '17 at 6:30

Martin PrikrylMartin Prikryl

5,3642660

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I've tried this, but it doesn't work.
  
  – user134969
  Mar 4 '17 at 21:21
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  What did you try? What does not work? What does it do instead? What version of OpenSSH are you using?
  
  – Martin Prikryl
  Mar 5 '17 at 6:44
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Doesn't work a specific user as it is not usable in a Match block
  
  – Erdal G.
  Aug 24 '17 at 12:44
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @ErdalG. You are right. I've removed that part. You can use ForceCommand though (but that would disallow shell access, what you actually want to do anyway probably, if you want to limit what user can do).
  
  – Martin Prikryl
  Aug 24 '17 at 12:49
  

  
  
  
  

add a comment | 

5

You did not specify, what SFTP server are you using. I'm assuming the OpenSSH.

The sftp-server (and the compatible internal-sftp) has the -P and -p switches to black/white list certain SFTP requests.

You can use them to disallow the symlink requests:

Subsystem sftp internal-sftp -P symlink

share|improve this answer

edited Sep 12 '17 at 15:52

answered Mar 4 '17 at 6:30

Martin PrikrylMartin Prikryl

5,3642660

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I've tried this, but it doesn't work.
  
  – user134969
  Mar 4 '17 at 21:21
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  What did you try? What does not work? What does it do instead? What version of OpenSSH are you using?
  
  – Martin Prikryl
  Mar 5 '17 at 6:44
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Doesn't work a specific user as it is not usable in a Match block
  
  – Erdal G.
  Aug 24 '17 at 12:44
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @ErdalG. You are right. I've removed that part. You can use ForceCommand though (but that would disallow shell access, what you actually want to do anyway probably, if you want to limit what user can do).
  
  – Martin Prikryl
  Aug 24 '17 at 12:49
  

  
  
  
  

add a comment | 

You did not specify, what SFTP server are you using. I'm assuming the OpenSSH.

The sftp-server (and the compatible internal-sftp) has the -P and -p switches to black/white list certain SFTP requests.

You can use them to disallow the symlink requests:

Subsystem sftp internal-sftp -P symlink

share|improve this answer

edited Sep 12 '17 at 15:52

answered Mar 4 '17 at 6:30

Martin PrikrylMartin Prikryl

5,3642660

Subsystem sftp internal-sftp -P symlink

share|improve this answer

edited Sep 12 '17 at 15:52

answered Mar 4 '17 at 6:30

Martin PrikrylMartin Prikryl

5,3642660

answered Mar 4 '17 at 6:30

Martin PrikrylMartin Prikryl

5,3642660

answered Mar 4 '17 at 6:30

Martin PrikrylMartin Prikryl

5,3642660

0

You can only pass args to the sftp command when using ForceCommand, not Subsystem. If you do what the other answer says, the -P arg will be silently ignored!

The correct way:

Subsystem sftp internal-sftp

ForceCommand internal-sftp -P symlink

(you possibly also want to put a Match block around the second line)

share|improve this answer

edited May 11 at 0:12

womble♦

86.3k18147205

answered May 10 at 23:32

ruforufo

312

add a comment | 

0

You can only pass args to the sftp command when using ForceCommand, not Subsystem. If you do what the other answer says, the -P arg will be silently ignored!

The correct way:

Subsystem sftp internal-sftp

ForceCommand internal-sftp -P symlink

(you possibly also want to put a Match block around the second line)

share|improve this answer

edited May 11 at 0:12

womble♦

86.3k18147205

answered May 10 at 23:32

ruforufo

312

add a comment | 

You can only pass args to the sftp command when using ForceCommand, not Subsystem. If you do what the other answer says, the -P arg will be silently ignored!

The correct way:

Subsystem sftp internal-sftp

ForceCommand internal-sftp -P symlink

(you possibly also want to put a Match block around the second line)

share|improve this answer

edited May 11 at 0:12

womble♦

86.3k18147205

answered May 10 at 23:32

ruforufo

312

Subsystem sftp internal-sftp

ForceCommand internal-sftp -P symlink

share|improve this answer

edited May 11 at 0:12

womble♦

86.3k18147205

answered May 10 at 23:32

ruforufo

312

edited May 11 at 0:12

womble♦

86.3k18147205

edited May 11 at 0:12

womble♦

86.3k18147205

answered May 10 at 23:32

ruforufo

312

answered May 10 at 23:32

ruforufo

312