Glad you like it.
I'm sure there are lots of nice features that could be added using this generic mechanism.
MySecureShell has moved to github.
Now this forum is keeped for history :)
Url: https://github.com/mysecureshell/mysecureshell
Pages 1
You are not logged in. Please login or register.
MySecureShell moved to github !
Search options
MySecureShell forum → Posts by renaud
Posts found: 7
1 2010-05-20 02:51:35
Re: Proposal for improved file access filtering (2 replies, posted in Others)
2 2010-05-20 02:50:04
Re: HideFiles directive not working properly (10 replies, posted in Configuration)
Thanks a lot.
Let me know if you want me to test it.
3 2010-05-18 02:58:27
Re: HideFiles directive not working properly (10 replies, posted in Configuration)
Did cat -e sftp_config and it looks fine:
## MySecureShell Configuration File ##$
#Default rules for everybody$
<Default>$
GlobalDownload 0 #total speed download for all clients$
# o -> bytes k -> kilo bytes m -> mega bytes$
GlobalUpload 0 #total speed download for all clients (0 for unlimited)$
Download 0 #limit speed download for each connection$
Upload 0 #unlimit speed upload for each connection$
StayAtHome false #limit client to his home$
VirtualChroot false #fake a chroot to the home account$
LimitConnection 30 #max connection for the server sftp$
LimitConnectionByUser 2 #max connection for the account$
LimitConnectionByIP 4 #max connection by ip for the account$
Home /$
# Home /home/$USER #overrite home of the user but if you want you can use$
# environment variable (ie: Home /home/$USER)$
IdleTimeOut 15m #(in second) deconnect client is idle too long time$
ResolveIP true #resolve ip to dns$
IgnoreHidden false #treat all hidden files as if they don't exist$
# DirFakeUser true #Hide real file/directory owner (just change displayed permissions)$
# DirFakeGroup true #Hide real file/directory group (just change displayed permissions)$
# DirFakeMode 0400 #Hide real file/directory rights (just change displayed permissions)$
#Add execution right for directory if read right is set$
# HideFiles "^(lost\+found|public_html)$" #Hide file/directory which match$
#this extented POSIX regex$
HideFiles "^(bin|etc|lib|media|opt|sbin|srv|tmp|var|boot|dev|lost\+found|mnt|media|proc|root|selinux|sys|usr|www)$"$
HideNoAccess true #Hide file/directory which user has no access$
# MaxOpenFilesForUser 20 #limit user to open x files on same time$
# MaxWriteFilesForUser 10 #limit user to x upload on same time$
# MaxReadFilesForUser 10 #limit user to x download on same time$
DefaultRights 0640 0750 #Set default rights for new file and new directory$
# MinimumRights 0400 0700 #Set minimum rights for files and dirs$
$
# PathDenyFilter "^\." #deny upload of directory/file which match this extented POSIX regex$
$
ShowLinksAsLinks false #show links as their destinations$
# ConnectionMaxLife 1d #limits connection lifetime to 1 day$
$
# Charset "ISO-8859-15" #set charset of computer$
# GMTTime +1 #set GMT Time (change if necessary)$
</Default>$
$
#Rules only for group ftp$
#<Group ftp>$
# Download 25 k/s$
# LogFile /var/log/sftp-server_ftp.log #Change logfile$
# ExpireDate "2007-02-28 18:31:01"$
#</Group>$
$
#<Group sftp_administrator>$
# IsAdmin true #can admin the server$
# VirtualChroot false #you must disable chroot to have a full support of admin$
# StayAtHome true$
# IdleTimeOut 0$
#</Group>$
$
#<Group old_client>$
# SftpProtocol 3 #force protocol SFTP$
# DisableAccount true #disable account$
#</Group>$
$4 2010-05-17 03:32:21
Re: HideFiles directive not working properly (10 replies, posted in Configuration)
Still on the issue I'm having with Fedora Core 12 x64.
There is definitely something wrong with the way MySecureShell reads the config file.
I tried the RPM for Fedora and then removed it and installed from source and I get the same results...
If my HideFiles directive is as follow:
"^(bin|etc|lib|media|opt|sbin|srv|tmp|var|boot|dev|lost\+found|mnt|media|proc|root|selinux|sys|usr|www)$"When I run MySecureShell --testconfig, this is what I get:
# MySecureShell --configtest
--- root ---
GlobalDownload = 0 bytes/s
GlobalUpload = 0 bytes/s
Download = 0 bytes/s
Upload = 0 bytes/s
StayAtHome = false
VirtualChroot = false
LimitConnection = 30
LimitConnectionByUser = 2
LimitConnectionByIP = 4
Home =
ResolveIP = true
IdleTimeOut = 900s
IgnoreHidden = false
HideFiles = ^(bi|etc|lib|meedia|opt|sbin|srv|tmp|var|boot|dev|lost\+found|mnt|media|proc|root|selinux|sys|usrwwww)$
HideNoAccess = true
ShowLinksAsLinks = false
SftpProtocol = {default}
LogFile = {default}
CanRemoveDir = true
CanRemoveFile = true
CanChangeRights = true
CanChangeTime = true
DefaultRights = 0640 0750
Config is valid.The HideFiles directive is garbled.
And this is exactly the same config file on both servers. Works on FC9, not on FC12x64.
I suppose the issue is from within the code itself since it doesn't rely on external libraries for reading the files.
5 2010-05-16 03:19:56
Re: HideFiles directive not working properly (10 replies, posted in Configuration)
Thanks for the quick reply.
No, I can't see "var", but something is definitely broken but not sure where.
I'll make further checks, it's definitely working on FC9 when installed from source. I'll try the same on FC12.
Regarding the use of symlinks, I tried this creating a /remoteaccess folder into which I would put 2 links to /data and /home.
The issue was, when using WinSCP, I would see the following structure:
[root]
+/remoteaccess
+/data
+/home
But if you click the root of the tree you get "Access Denied" and the whole tree just disappears, forcing the user to log-off.
Possible solutions in terms of configuration could be:
Have a directive to allow symlinks in VirtualChroot (would be false by default because of the security implication)
Have more granular options for defining allowed and denied path.
Regarding the latter, I have made a separate feature request.
6 2010-05-16 03:16:54
Topic: Proposal for improved file access filtering (2 replies, posted in Others)
Based on the issue I reported here, I thought about an improvement that could allow more control over which files to show to, or hide from, the connected user.
In the spirit of the existing configuration file format, we could define file specifications in a way reminiscent of the syntax used in the apache config files.
Say we could define an arbitrary number of named <FileSpec> blocks that can then be used in the various Default/User/Virtualhost/... login contexts.
For instance:
<FileSpec AllowAll>
# This specification allow access to all files
# this should probably be the default
Order Allow, Deny
Allow all
Deny none
<FileSpec>
<FileSpec DenyAll>
# This specification hides all files
Order Deny, Allow
Allow none
Deny all
# Hide files that are denied
HideDenied true
<FileSpec>
<FileSpec OnlyDataAndHome>
# Here, we check against the full absolute path
# instead of just the filename or foldername
UseFullPath true
# We define the order in which paths are evaluated
Order Allow, Deny
# Allow any full path that starts with /data or /home
Allow "^\/(data|home)"
Deny all
# Hide files that are denied
HideDenied true
<FileSpec>
<FileSpec AllowedExtensions>
# Only check against filenames/folder names only
UseFullPath false
# we can use multiple deny/allow directives for clarity
Order Deny, Allow
Deny ".*\.exe$"
Deny ".*\.sh$"
Allow all
# Throw an error when the user tries to access a denied file
HideDenied false
# Return a customized message in that case (dunno if it can be done with sftp)
DeniedMessage "Please contact your admin to allow access to these files"
<FileSpec>
<FileSpec ExcludeFinance>
# A more complex example
UseFullPath true
Order Deny, Allow
# Here we exclude a particular folder within a specific tree
# We must be careful that the definition would not break if
# the user was to rename a subfolder...
# Here we assume that the user does not have the rights to
# rename /data or the Projects folders
Deny "^\/data/Projects/.*?/Finance"
Allow all
# Hide files that are denied
HideDenied true
<FileSpec>Each <FileSpec> directive is named and can then be used in multiple context blocks using a ApplyFileSpec directive that can take multiple FileSpec names that are evaluated in the order they are listed.
# By default, don't show anything
<default>
...
ApplyFileSpec DenyAll
...
</default>
# For anyone wanting access to toto.mss.com, restrict access
<VirtualHost toto.mss.com:22>
ApplyFileSpec OnlyDataAndHome, ExcludeFinance, AllowedExtentions
</VirtualHost>
# For administrators, show all files
<User sysadmin>
ApplyFileSpec ShowAll
</VirtualHost>When listing multiple FileSpecs in the ApplyFileSpec directive, the evaluation stops at the first blocking spec.
So in the VirtualHost example, if the file passes OnlyDataAndHome, it is then evaluated against ExcludeFinance followed by AllowedExtensions if it passes. Once the file has been through all tests, it is made accessible to the user.
This would allow a lot more control over what the user can see depending on their login context and could probably replace all the existing file pattern matching directives.
7 2010-05-15 15:11:40
Topic: HideFiles directive not working properly (10 replies, posted in Configuration)
Hi,
I have setup MySecureShell on 2 servers:
Fedora Core12 x64 using the packages
Fedora release 9 x86 manually from source
Both work fine except that the HideFiles directive doesn't work properly on the FC12 server. I am still able to see some of the folders that should be excluded, event though I'm using exactly the same configuration file as the FC9 setup.
The regex I use is this one:
"^(bin|etc|lib|media|opt|sbin|srv|tmp|var|boot|dev|lost\+found|mnt|media|proc|root|selinux|sys|usr|www)$"On the FC12 server, I can still see /bin and /etc.
The strangest thing is that the white space around the string seems to influence it. I sometimes see all the excluded folder...
Is there a size restriction on the regex or some issue maybe with x64?
Because of our particular configuration, I need to allow users only access to /data and /home only.
The only solution I have found was to hide everything else.
Posts found: 7
Pages 1
MySecureShell forum → Posts by renaud
Powered by PunBB, supported by Informer Technologies, Inc.