Topic: Proposal for improved file access filtering
Based on the issue I reported here, I thought about an improvement that could allow more control over which files to show to, or hide from, the connected user.
In the spirit of the existing configuration file format, we could define file specifications in a way reminiscent of the syntax used in the apache config files.
Say we could define an arbitrary number of named <FileSpec> blocks that can then be used in the various Default/User/Virtualhost/... login contexts.
For instance:
<FileSpec AllowAll>
# This specification allow access to all files
# this should probably be the default
Order Allow, Deny
Allow all
Deny none
<FileSpec>
<FileSpec DenyAll>
# This specification hides all files
Order Deny, Allow
Allow none
Deny all
# Hide files that are denied
HideDenied true
<FileSpec>
<FileSpec OnlyDataAndHome>
# Here, we check against the full absolute path
# instead of just the filename or foldername
UseFullPath true
# We define the order in which paths are evaluated
Order Allow, Deny
# Allow any full path that starts with /data or /home
Allow "^\/(data|home)"
Deny all
# Hide files that are denied
HideDenied true
<FileSpec>
<FileSpec AllowedExtensions>
# Only check against filenames/folder names only
UseFullPath false
# we can use multiple deny/allow directives for clarity
Order Deny, Allow
Deny ".*\.exe$"
Deny ".*\.sh$"
Allow all
# Throw an error when the user tries to access a denied file
HideDenied false
# Return a customized message in that case (dunno if it can be done with sftp)
DeniedMessage "Please contact your admin to allow access to these files"
<FileSpec>
<FileSpec ExcludeFinance>
# A more complex example
UseFullPath true
Order Deny, Allow
# Here we exclude a particular folder within a specific tree
# We must be careful that the definition would not break if
# the user was to rename a subfolder...
# Here we assume that the user does not have the rights to
# rename /data or the Projects folders
Deny "^\/data/Projects/.*?/Finance"
Allow all
# Hide files that are denied
HideDenied true
<FileSpec>
Each <FileSpec> directive is named and can then be used in multiple context blocks using a ApplyFileSpec directive that can take multiple FileSpec names that are evaluated in the order they are listed.
# By default, don't show anything
<default>
...
ApplyFileSpec DenyAll
...
</default>
# For anyone wanting access to toto.mss.com, restrict access
<VirtualHost toto.mss.com:22>
ApplyFileSpec OnlyDataAndHome, ExcludeFinance, AllowedExtentions
</VirtualHost>
# For administrators, show all files
<User sysadmin>
ApplyFileSpec ShowAll
</VirtualHost>
When listing multiple FileSpecs in the ApplyFileSpec directive, the evaluation stops at the first blocking spec.
So in the VirtualHost example, if the file passes OnlyDataAndHome, it is then evaluated against ExcludeFinance followed by AllowedExtensions if it passes. Once the file has been through all tests, it is made accessible to the user.
This would allow a lot more control over what the user can see depending on their login context and could probably replace all the existing file pattern matching directives.