Home / server / Questions / 504919
Accepted
dmourati
Asked: 2013-05-04 13:30:10 +0800 CST

Disallow -p on sftp

  • 772

We have a server that acts as a "dropbox" for (outside) users to upload data to us over sftp/ssh. We need to process these files (gpg decrypt, unzip, etc) as they come in. In the past, we simply processed each file in each users home directory without regard to whether we had already processed it. This turned out to be wasteful. I updated (rewrote) our processing script to rely on a mechanism like:

FILESTOPROCESS=$(find -H /home/$CUST -type f -newer /home/$CUST/marker-file)

This combined with a touch /home/$CUST/marker-file has worked great and our workload was dramatically reduced.

A day or so ago, we had a configuration issue in our SSH server which temporarily disallowed users to upload files to us. When the script ran again, it overlooked a file the user initially failed to upload, but subsequently uploaded via sftp/ssh with a "-p" option, for preserve timestamp. This set the c/a/mtimes of the file to be a day or so older than the marker-file and so it was subsequently ignored.

I'd like to disallow users from uploading with "-p" so that files are created with current timestamps.

Can I do this in sshd_config?

ssh

4 Answers

  1. Best Answer

    No, you cannot do this in the config. Looking through sftp-server.c, I see that the only way to disable this is to run sftp-server in read only mode, which is quite useless if you want to allow uploads :)

    If you don't mind maintaining your own openssh package, you can remove the calls to utimes/futimes in sftp-server.c before compiling. Alternatively you can use an LD_PRELOAD library with noop implementations of these functions.

    • 6

  2. You can use incond (inotify cron daemon), to trigger a script when a file is added.

    If you have a many uploaded files at once, you can queue the file names to be processed, then you can process the queue items one by one.

    • 4

  3. You said that the ... "-p" option ... set the c/a/mtimes of the file ... - this is incorrect, as the ctime can only ever be set to the current time by changing the inode mtime or permissions (or other inode settings not relevant here).

    With this knowledge, you can find unprocessed files using -cnewer.

    $ FILESTOPROCESS=$(find -H /home/$CUST -type f \
   \( -newer /home/$CUST/marker-file -o \
      -cnewer /home/$CUST/marker-file \) )
    • 2

  4. I don't know if (but I don't think that) you can accomplish this in sshd_config. However, here's an idea: What if you modified the processing script so that the files go into a temp directory first, you grab the hash (md5, perhaps) of the file, and compare that hash to the file with the same name in the user's directory (if such a file exists).

    If the hash matches, then don't do anything (what's the point?)

    If the hash doesn't match, then copy (don't move) the file from the temp directory into the final location (without the -p option, of course).

    • 1