TOMOYO Linux 2.5.x : Protecting SFTP service

Protecting SFTP service

About this page

This page explains you how to provide both download-only SFTP service and uploadable SFTP service using single user account. The type of SFTP service (i.e. download-only or uploadable) is determined by environment variables provided by SFTP client, and normal SSH shell access is forbidden if appropriate environment variables are not provided.

Step 1: Creating user account for SFTP service

In this page, we assume the name of user for SFTP service as "sftp".

We assume the shell program for SFTP service as /bin/sftp-shell .

We assume the directory for SFTP service as /var/sftp/ .

We assume the location of SFTP server program as /usr/libexec/openssh/sftp-server .

# useradd -s /bin/sftp-shell -d /var/sftp sftp
# passwd sftp

Step 2: Creating programs needed for SFTP service

Save the program listed below as /bin/sftp-shell and set executable bit.

#! /bin/sh
[ "$sftp_type" == "ro-sftp" ] && exec /bin/ro-sftp
[ "$sftp_type" == "rw-sftp" ] && exec /bin/rw-sftp
exit 1

Save the program listed below as /bin/rw-sftp and /bin/ro-sftp and set executable bit. (/bin/rw-sftp and /bin/ro-sftp are identical.)

#! /bin/sh
umask 0022
exec /usr/libexec/openssh/sftp-server

Step 3: Making SSH to pass and receive environment variables

Append the name of environment variable which SSH server accepts to /etc/ssh/sshd_config .

AcceptEnv sftp_type

Append the name of environment variable which SSH client sends to /etc/ssh/ssh_config .

SendEnv sftp_type

Step 4: Install and initialize TOMOYO Linux

Install TOMOYO Linux and run below commandline in order to initialize TOMOYO Linux.

# /usr/lib/tomoyo/init_policy

Then, please do below operations before you reboot using TOMOYO Linux kernel.

Append below line to /etc/tomoyo/exception_policy.conf in order to initialize domain transition when /bin/sftp-shell is executed.

initialize_domain /bin/sftp-shell from any

Append below lines to /etc/tomoyo/exception_policy.conf so that we can specify directory for SFTP service recursively.

path_group SFTP_DIRS /var/sftp/\{\*\}/
path_group SFTP_FILES /var/sftp/\{\*\}/\*
path_group SFTP_FILES /var/sftp/\*

Append below lines to /etc/tomoyo/domain_policy.conf so that we can allow downloading / uploading SFTP contents.

<kernel> /bin/sftp-shell

<kernel> /bin/sftp-shell /bin/ro-sftp /usr/libexec/openssh/sftp-server
file read @SFTP_FILES

<kernel> /bin/sftp-shell /bin/rw-sftp /usr/libexec/openssh/sftp-server
file read @SFTP_FILES
file write @SFTP_FILES
file create @SFTP_FILES 0644
file unlink @SFTP_FILES
file mkdir @SFTP_DIRS 0755
file rmdir @SFTP_DIRS
file rename @SFTP_FILES @SFTP_FILES
file rename @SFTP_DIRS @SFTP_DIRS
file truncate @SFTP_FILES

Step 5: Learning and operation

Now, you are ready to start operation. Please reboot using TOMOYO Linux kernel.

Change access control mode to learning mode by assigning profile 1.

# /usr/sbin/tomoyo-setprofile -r 1 '<kernel> /bin/sftp-shell'

Set environment variable "sftp_type" with value "ro-sftp" and access the SFTP server. In this page, we assume the name of SFTP server as "server".

$ export sftp_type="ro-sftp"
$ sftp sftp@server

Now, the process belongs to "<kernel> /bin/sftp-shell /bin/ro-sftp /usr/libexec/openssh/sftp-server" domain. Do download operations from this domain. But don't do upload operations from this domain.

Set environment variable "sftp_type" with value "rw-sftp" and access the SFTP server.

$ export sftp_type="rw-sftp"
$ sftp sftp@server

Now, the process belongs to "<kernel> /bin/sftp-shell /bin/rw-sftp /usr/libexec/openssh/sftp-server" domain. Do download operations and upload operations from this domain.

Change access control mode to enforcing mode by assigning profile 3.

# /usr/sbin/tomoyo-setprofile -r 3 '<kernel> /bin/sftp-shell'

Save policy files by executing tomoyo-savepolicy command.

# /usr/sbin/tomoyo-savepolicy

Explanation

We create two domains for sftp-server programs with different parent domain, and we give write permissions to only one domain. Since this program is just an example, we used straightforward environment variables. When you use at real systems, please use unguessable environment variables because these environment variables act as passwords.

Application idea

You can use environment variable SSH_CLIENT to grant upload access when clients are from specific IP addresses and port numbers, download-only access otherwise.