I am trying to white-list certain SFTP requests so that a user can only open and read files and folders. Currently I have this, based on this thread:
Subsystem sftp internal-sftp
Match User my-read-user
ChrootDirectory /sftp/%u
ForceCommand internal-sftp -p open,close,read,opendir,stat,readdir,fstat,lstat,statvfs,fstatvfs,readlink,realpath
This seems to work fine - with one exception: I can create files though I cannot put any content in them. Kind of like touch would work?!
Any ideas are appreciated! Also any better approach would be fine :) Thanks!
Oh, I just found the - apparently - best solution: The parameter -R sets the whole session into read-only mode.