Info: Version 1.8.x is available.

Japanese Page

Last modified: $Date: 2024-03-30 11:25:00 +0000 (Sat, 30 Mar 2024) $

Providing download-only / uploadable SFTP service with single user account using environment variable.

About this page

This page explains you how to provide both download-only SFTP service and uploadable SFTP service using single user account. The type of SFTP service (i.e. download-only or uploadable) is determined by environment variables provided by SFTP client, and normal SSH shell access is forbidden if appropriate environment variables are not provided.

Step 1: Creating user account for SFTP service

In this page, we assume the name of user for SFTP service as "sftp".

We assume the shell program for SFTP service as /bin/sftp-shell .

We assume the directory for SFTP service as /var/sftp/ .

We assume the location of SFTP server program as /usr/libexec/openssh/sftp-server .

Step 2: Creating programs needed for SFTP service

Save the program listed below as /bin/sftp-shell and set executable bit.

#! /bin/sh
[ "$sftp_type" == "ro-sftp" ] && exec /bin/ro-sftp
[ "$sftp_type" == "rw-sftp" ] && exec /bin/rw-sftp
exit 1

Save the program listed below as /bin/rw-sftp and /bin/ro-sftp and set executable bit. (/bin/rw-sftp and /bin/ro-sftp are identical.)

#! /bin/sh
umask 0022
exec /usr/libexec/openssh/sftp-server

Step 3: Making SSH to pass and receive environment variables

Append the name of environment variable which SSH server accepts to /etc/ssh/sshd_config .

Append the name of environment variable which SSH client sends to /etc/ssh/ssh_config .

Step 4: Install and initialize TOMOYO Linux

Install TOMOYO Linux and run below commandline in order to initialize TOMOYO Linux.

Then, please do below operations before you reboot using TOMOYO Linux kernel.

Append below line to /etc/ccs/exception_policy.conf in order to initialize domain transition when /bin/sftp-shell is executed.

Append below lines to /etc/ccs/exception_policy.conf so that we can specify directory for SFTP service recursively.

Append below lines to /etc/ccs/domain_policy.conf so that we can allow downloading / uploading SFTP contents.

Step 5: Learning and operation

Now, you are ready to start operation. Please reboot using TOMOYO Linux kernel.

Change access control mode to learning mode by assigning profile 1.

Set environment variable "sftp_type" with value "ro-sftp" and access the SFTP server. In this page, we assume the name of SFTP server as "server".

Now, the process belongs to "<kernel> /bin/sftp-shell /bin/ro-sftp /usr/libexec/openssh/sftp-server" domain. Do download operations from this domain. But don't do upload operations from this domain.

Set environment variable "sftp_type" with value "rw-sftp" and access the SFTP server.

Now, the process belongs to "<kernel> /bin/sftp-shell /bin/rw-sftp /usr/libexec/openssh/sftp-server" domain. Do download operations and upload operations from this domain.

Change access control mode to enforcing mode by assigning profile 3.

Save policy files by executing ccs-savepolicy command.

Explanation

We create two domains for sftp-server programs with different parent domain, and we give write permissions to only one domain. Since this program is just an example, we used straightforward environment variables. When you use at real systems, please use unguessable environment variables because these environment variables act as passwords.

If you want to forbid access to files listed using allow_read keyword in the exception policy (e.g. shared libraries), you can specify ignore_global_allow_read directive to the domain policy.

Application idea

You can use environment variable SSH_CLIENT to grant upload access when clients are from specific IP addresses and port numbers, download-only access otherwise.

Return to index page.