• Registered: 2010-05-15
  • Posts: 7

Topic: HideFiles directive not working properly

Hi,
I have setup MySecureShell on 2 servers:

  • Fedora Core12 x64 using the packages

  • Fedora release 9 x86 manually from source

Both work fine except that the HideFiles directive doesn't work properly on the FC12 server. I am still able to see some of the folders that should be excluded, event though I'm using exactly the same configuration file as the FC9 setup.

The regex I use is this one:

"^(bin|etc|lib|media|opt|sbin|srv|tmp|var|boot|dev|lost\+found|mnt|media|proc|root|selinux|sys|usr|www)$"

On the FC12 server, I can still see /bin and /etc.
The strangest thing is that the white space around the string seems to influence it. I sometimes see all the excluded folder...
Is there a size restriction on the regex or some issue maybe with x64?

Because of our particular configuration, I need to allow users only access to /data and /home only.
The only solution I have found was to hide everything else.

  • teka
  • Administrator
  • Offline
  • From: France
  • Registered: 2007-11-18
  • Posts: 806

Re: HideFiles directive not working properly

Hi,

For FC12 Server, can you see "var" too ? Just to know if the feature is broken or something else...

I don't think there are difference in regexp in 32b or 64b... maybe a bug with MySecureShell  hmm

Maybe you can just create default directory with 2 symlinks (to /data and /home) and you use tag "StayAtHome" smile

  • Registered: 2010-05-15
  • Posts: 7

Re: HideFiles directive not working properly

Thanks for the quick reply.
No, I can't see "var", but something is definitely broken but not sure where.
I'll make further checks, it's definitely working on FC9 when installed from source. I'll try the same on FC12.

Regarding the use of symlinks, I tried this creating a /remoteaccess folder into which I would put 2 links to /data and /home.

The issue was, when using WinSCP, I would see the following structure:
[root]
   +/remoteaccess
        +/data
        +/home

But if you click the root of the tree you get "Access Denied" and the whole tree just disappears, forcing the user to log-off.

Possible solutions in terms of configuration could be:

  • Have a directive to allow symlinks in VirtualChroot (would be false by default because of the security implication)

  • Have more granular options for defining allowed and denied path.

Regarding the latter, I have made a separate feature request.

  • teka
  • Administrator
  • Offline
  • From: France
  • Registered: 2007-11-18
  • Posts: 806

Re: HideFiles directive not working properly

renaud wrote:

But if you click the root of the tree you get "Access Denied" and the whole tree just disappears, forcing the user to log-off.

It depend of your SFTP Client smile

Maybe use "mount --rebind" and "VirtualChroot" to solve this problem.


renaud wrote:

Possible solutions in terms of configuration could be:

  • Have a directive to allow symlinks in VirtualChroot (would be false by default because of the security implication)

I think add this possibility later in MySecureShell.

renaud wrote:

  • Have more granular options for defining allowed and denied path.

Regarding the latter, I have made a separate feature request.

Reply in post smile

  • Registered: 2010-05-15
  • Posts: 7

Re: HideFiles directive not working properly

Still on the issue I'm having with Fedora Core 12 x64.

There is definitely something wrong with the way MySecureShell reads the config file.

I tried the RPM for Fedora and then removed it and installed from source and I get the same results...

If my HideFiles directive is as follow:

"^(bin|etc|lib|media|opt|sbin|srv|tmp|var|boot|dev|lost\+found|mnt|media|proc|root|selinux|sys|usr|www)$"

When I run MySecureShell --testconfig, this is what I get:

# MySecureShell --configtest
--- root ---
GlobalDownload        = 0 bytes/s
GlobalUpload          = 0 bytes/s
Download              = 0 bytes/s
Upload                = 0 bytes/s
StayAtHome            = false
VirtualChroot         = false
LimitConnection       = 30
LimitConnectionByUser = 2
LimitConnectionByIP   = 4
Home                  =
ResolveIP             = true
IdleTimeOut           = 900s
IgnoreHidden          = false
HideFiles             = ^(bi|etc|lib|meedia|opt|sbin|srv|tmp|var|boot|dev|lost\+found|mnt|media|proc|root|selinux|sys|usrwwww)$
HideNoAccess          = true
ShowLinksAsLinks      = false
SftpProtocol          = {default}
LogFile               = {default}
CanRemoveDir          = true
CanRemoveFile         = true
CanChangeRights       = true
CanChangeTime         = true
DefaultRights         = 0640 0750
Config is valid.

The HideFiles directive is garbled.

And this is exactly the same config file on both servers. Works on FC9, not on FC12x64.

I suppose the issue is from within the code itself since it doesn't rely on external libraries for reading the files.

  • teka
  • Administrator
  • Offline
  • From: France
  • Registered: 2007-11-18
  • Posts: 806

Re: HideFiles directive not working properly

Hummmmm...

Just use "cat -e sftp_config" to be sure for unprintable character smile

I should test too on Fedora 12 x64 asap  roll

  • Registered: 2010-05-15
  • Posts: 7

Re: HideFiles directive not working properly

Did cat -e sftp_config and it looks fine:

## MySecureShell Configuration File ##$
#Default rules for everybody$
<Default>$
        GlobalDownload          0       #total speed download for all clients$
                                        # o -> bytes   k -> kilo bytes   m -> mega bytes$
        GlobalUpload            0       #total speed download for all clients (0 for unlimited)$
        Download                0       #limit speed download for each connection$
        Upload                  0       #unlimit speed upload for each connection$
        StayAtHome              false   #limit client to his home$
        VirtualChroot           false   #fake a chroot to the home account$
        LimitConnection         30      #max connection for the server sftp$
        LimitConnectionByUser   2       #max connection for the account$
        LimitConnectionByIP     4       #max connection by ip for the account$
        Home                    /$
#       Home                    /home/$USER     #overrite home of the user but if you want you can use$
                                                #       environment variable (ie: Home /home/$USER)$
        IdleTimeOut             15m     #(in second) deconnect client is idle too long time$
        ResolveIP               true    #resolve ip to dns$
        IgnoreHidden            false   #treat all hidden files as if they don't exist$
#       DirFakeUser             true    #Hide real file/directory owner (just change displayed permissions)$
#       DirFakeGroup            true    #Hide real file/directory group (just change displayed permissions)$
#       DirFakeMode             0400    #Hide real file/directory rights (just change displayed permissions)$
                                        #Add execution right for directory if read right is set$
#       HideFiles               "^(lost\+found|public_html)$"   #Hide file/directory which match$
                                                                #this extented POSIX regex$
        HideFiles               "^(bin|etc|lib|media|opt|sbin|srv|tmp|var|boot|dev|lost\+found|mnt|media|proc|root|selinux|sys|usr|www)$"$
        HideNoAccess            true    #Hide file/directory which user has no access$
#       MaxOpenFilesForUser     20      #limit user to open x files on same time$
#       MaxWriteFilesForUser    10      #limit user to x upload on same time$
#       MaxReadFilesForUser     10      #limit user to x download on same time$
        DefaultRights           0640 0750       #Set default rights for new file and new directory$
#       MinimumRights           0400 0700       #Set minimum rights for files and dirs$
$
#       PathDenyFilter          "^\."   #deny upload of directory/file which match this extented POSIX regex$
$
        ShowLinksAsLinks        false   #show links as their destinations$
#       ConnectionMaxLife       1d      #limits connection lifetime to 1 day$
$
#       Charset                 "ISO-8859-15"   #set charset of computer$
#       GMTTime                 +1      #set GMT Time (change if necessary)$
</Default>$
$
#Rules only for group ftp$
#<Group ftp>$
#       Download        25 k/s$
#       LogFile         /var/log/sftp-server_ftp.log    #Change logfile$
#       ExpireDate      "2007-02-28 18:31:01"$
#</Group>$
$
#<Group sftp_administrator>$
#       IsAdmin         true            #can admin the server$
#       VirtualChroot   false           #you must disable chroot to have a full support of admin$
#       StayAtHome      true$
#       IdleTimeOut     0$
#</Group>$
$
#<Group old_client>$
#       SftpProtocol            3       #force protocol SFTP$
#       DisableAccount          true    #disable account$
#</Group>$
$
  • teka
  • Administrator
  • Offline
  • From: France
  • Registered: 2007-11-18
  • Posts: 806

Re: HideFiles directive not working properly

Okay it should be a bug...

I'll test asap smile

  • Registered: 2010-05-15
  • Posts: 7

Re: HideFiles directive not working properly

Thanks  a lot.
Let me know if you want me to test it.

  • teka
  • Administrator
  • Offline
  • From: France
  • Registered: 2007-11-18
  • Posts: 806

Re: HideFiles directive not working properly

Okay thanks smile

  • teka
  • Administrator
  • Offline
  • From: France
  • Registered: 2007-11-18
  • Posts: 806

Re: HideFiles directive not working properly

Bug fixed for MySecureShell 1.25.

CVS from SourceForge contains release candidate (not for production) of MySecureShell 1.25 smile