sftp and directory group writable - SSH

This is a discussion on sftp and directory group writable - SSH ; We have a server that has a client connecting to using sftp to get a file that is put there by the mainframe. The client has requested that the group write permission be removed from the directory they connect to ...

+ Reply to Thread
Results 1 to 12 of 12

Thread: sftp and directory group writable

  1. sftp and directory group writable

    We have a server that has a client connecting to using sftp to get a
    file that is put there by the mainframe. The client has requested that
    the group write permission be removed from the directory they connect to
    for security reasons, I understand this, doing this however requires
    that changes be made on the mainframe which the mainframe folks are
    hesistant to do. Or making changes on the server which I'm
    hesistant to do as it's only this client that is using sftp.

    Am I correct in my understanding that sftp will work with the group
    writable bit set on the directory? The only people in the group that
    they are concerned about is them and the mainframe account.

    Jason

  2. Re: sftp and directory group writable

    On Mon, 10 Dec 2007 11:39:18 -0400, Jason wrote:

    > We have a server that has a client connecting to using sftp to get a
    > file that is put there by the mainframe. The client has requested that
    > the group write permission be removed from the directory they connect to
    > for security reasons, I understand this, doing this however requires
    > that changes be made on the mainframe which the mainframe folks are
    > hesistant to do. Or making changes on the server which I'm
    > hesistant to do as it's only this client that is using sftp.
    >
    > Am I correct in my understanding that sftp will work with the group
    > writable bit set on the directory? The only people in the group that
    > they are concerned about is them and the mainframe account.
    >
    > Jason


    No, it is only extensible in the later stages.
    --
    ____________________
    Alric Knebel

    http://www.ironeyefortress.com/C-SPAN_loon.html
    http://www.ironeyefortress.com

  3. Re: sftp and directory group writable

    * Alric Knebel :
    > On Mon, 10 Dec 2007 11:39:18 -0400, Jason wrote:
    >
    >> We have a server that has a client connecting to using sftp to get a
    >> file that is put there by the mainframe. The client has requested that
    >> the group write permission be removed from the directory they connect to
    >> for security reasons, I understand this, doing this however requires
    >> that changes be made on the mainframe which the mainframe folks are
    >> hesistant to do. Or making changes on the server which I'm
    >> hesistant to do as it's only this client that is using sftp.
    >>
    >> Am I correct in my understanding that sftp will work with the group
    >> writable bit set on the directory? The only people in the group that
    >> they are concerned about is them and the mainframe account.
    >>
    >> Jason

    >
    > No, it is only extensible in the later stages.


    I'm sorry Alric I dont understand the extensible reference here. Are you
    saying sftp can't do what I'm asking?

    Jason

  4. Re: sftp and directory group writable


    > We have a server that has a client connecting to using sftp to get a
    > file that is put there by the mainframe. The client has requested that
    > the group write permission be removed from the directory they connect to
    > for security reasons, I understand this, doing this however requires
    > that changes be made on the mainframe which the mainframe folks are
    > hesistant to do. Or making changes on the server which I'm
    > hesistant to do as it's only this client that is using sftp.
    >
    > Am I correct in my understanding that sftp will work with the group
    > writable bit set on the directory? The only people in the group that
    > they are concerned about is them and the mainframe account.
    >
    > Jason


    sftp itself doesn't care about this bit explicitly, though of course it
    will be subject to the corresponding file access restrictions just like
    any other process. If the directory in question is the home directory of
    the login account, however, then SSH (the transport under sftp) *does*
    care. If you're using SSH publickey authentication, then by default it
    will not work if any of ~, ~/.ssh, or ~/.ssh/authorized_keys are group or
    other-writable. You can control this with the StrictModes option to sshd.

    --
    Richard Silverman
    res@qoxp.net





  5. Re: sftp and directory group writable

    On Tue, 11 Dec 2007 10:39:33 -0400, Jason wrote:

    > * Alric Knebel :
    >> On Mon, 10 Dec 2007 11:39:18 -0400, Jason wrote:
    >>
    >>> We have a server that has a client connecting to using sftp to get a
    >>> file that is put there by the mainframe. The client has requested that
    >>> the group write permission be removed from the directory they connect to
    >>> for security reasons, I understand this, doing this however requires
    >>> that changes be made on the mainframe which the mainframe folks are
    >>> hesistant to do. Or making changes on the server which I'm
    >>> hesistant to do as it's only this client that is using sftp.
    >>>
    >>> Am I correct in my understanding that sftp will work with the group
    >>> writable bit set on the directory? The only people in the group that
    >>> they are concerned about is them and the mainframe account.
    >>>
    >>> Jason

    >>
    >> No, it is only extensible in the later stages.

    >
    > I'm sorry Alric I dont understand the extensible reference here. Are you
    > saying sftp can't do what I'm asking?
    >
    > Jason


    Silvermen is half-right and I would agree.
    --
    ____________________
    Alric Knebel

    http://www.ironeyefortress.com/C-SPAN_loon.html
    http://www.ironeyefortress.com

  6. Re: sftp and directory group writable

    * Alric Knebel :
    >
    > Silvermen is half-right and I would agree.


    half right? that means they're half wrong then as well. What part did
    they get wrong?

    Jason

  7. Re: sftp and directory group writable

    On Wed, 12 Dec 2007 12:19:30 -0400, Jason wrote:

    > * Alric Knebel :
    >>
    >> Silvermen is half-right and I would agree.

    >
    > half right? that means they're half wrong then as well. What part did
    > they get wrong?
    >
    > Jason


    The writable bit set.
    ____________________
    Alric Knebel

    http://www.ironeyefortress.com/C-SPAN_loon.html
    http://www.ironeyefortress.com

  8. Re: sftp and directory group writable

    >
    > On Wed, 12 Dec 2007 12:19:30 -0400, Jason wrote:
    > > * Alric Knebel :
    > >>
    > >> Silvermen is half-right and I would agree.

    > >
    > > half right? that means they're half wrong then as well. What part did
    > > they get wrong?
    > >
    > > Jason

    >
    > The writable bit set.


    Could you be more specific about exactly what you imagine was wrong in my post?

    --
    Richard Silverman
    res@qoxp.net


  9. Re: sftp and directory group writable

    On 13 Dec 2007 22:02:19 -0500, Richard E. Silverman wrote:

    >>>> Silvermen is half-right and I would agree.
    >>>
    >>> half right? that means they're half wrong then as well. What part did
    >>> they get wrong?
    >>>
    >>> Jason

    >>
    >> The writable bit set.

    >
    > Could you be more specific about exactly what you imagine was wrong in my post?


    Snippy?

    File access restrictions as always, *only* if they are corresponding
    (assuming logindir=root) and SSH in step, sftp could give a rat's asshair
    (excepting PKI Auth).

    StrictModes is highly limited to control, this is the half bassakwards.
    ____________________
    Alric Knebel

    http://www.ironeyefortress.com/C-SPAN_loon.html
    http://www.ironeyefortress.com

  10. Re: sftp and directory group writable

    >>>>> "AK" == Alric Knebel writes:

    AK> On 13 Dec 2007 22:02:19 -0500, Richard E. Silverman wrote:
    >>>>> Silvermen is half-right and I would agree.
    >>>> half right? that means they're half wrong then as well. What
    >>>> part did they get wrong?
    >>>>
    >>>> Jason
    >>> The writable bit set.

    >> Could you be more specific about exactly what you imagine was
    >> wrong in my post?


    AK> Snippy?

    Not really.

    AK> File access restrictions as always, *only* if they are
    AK> corresponding (assuming logindir=root) and SSH in step, sftp could
    AK> give a rat's asshair (excepting PKI Auth).

    AK> StrictModes is highly limited to control, this is the half
    AK> bassakwards. ____________________ Alric Knebel

    I'm sorry, but your English is mostly incomprehensible. Picking out the
    only part I can understand, that sftp doesn't itself care about the modes,
    this is exactly what I said:

    > sftp itself doesn't care about this bit explicitly...


    --
    Richard Silverman
    res@qoxp.net


  11. Re: sftp and directory group writable

    * Richard E. Silverman :
    > I'm sorry, but your English is mostly incomprehensible. Picking out the
    > only part I can understand, that sftp doesn't itself care about the modes,
    > this is exactly what I said:
    >
    >> sftp itself doesn't care about this bit explicitly...

    >


    Thank you Richard, and I thought it was just me having problems with
    their English that or being out geeked and not understanding what they
    were saying.

    Jason

  12. Re: sftp and directory group writable

    On 14 Dec 2007 18:55:07 -0500, Richard E. Silverman wrote:

    > I'm sorry, but your English is mostly incomprehensible. Picking out the
    > only part I can understand, that sftp doesn't itself care about the modes,
    > this is exactly what I said:
    >
    >> sftp itself doesn't care about this bit explicitly...


    I agreed. So?
    --
    ____________________
    Alric Knebel

    http://www.ironeyefortress.com/C-SPAN_loon.html
    http://www.ironeyefortress.com

+ Reply to Thread