Comment by rad_gruchalski

1 day ago

But why? It can be done with ssh and some mix of linux permissions. It’s simple. There’s always room for more complexity.

2 comments

rad_gruchalski

Reply
m463  1 day ago

I like the simplicity of controlling everything with a hypothetical scp.conf:

  default
    access none /dev /sys /proc
  user foo
    access ro /var/scp/firmware
    access rw /var/scp/user-foo
  user anonymous
    access w /var/scp/dropbox
  user joe
    access rw /home/joe
  user fred
    access rw /
  user backup
    access ro /

  • unsnap_biceps  4 hours ago

    You can actually switch the subsystem to `internal-sftp` and configure the visible path via ChrootDirectory, however you still rely on posix user/group privs.

    Subsystems are pluggable, so you could write your own subsystem that does enforce whatever config and permission model you want. It's not terribly difficult to do, and you can replace the sftp subsystem entirely.

    and just a FYI, currently scp is plumbed over the sftp subsystem, so replacing the sftp subsystem would "fix" scp and sftp clients for you.