CODEWITHSUNDEEP
javaapache-minaapache-sshd
wileecoyote
wileecoyote

Reputation: 83

Apache MINA SSHD: SFTP Server: prevent file overriding for specific paths

I am using Apache MINA SSHD library to expose an SFTP server in a Spring Boot application and I'm wondering how should I implement a logic to prevent certain files from being overridden by a specific user (and more generally to prevent uploads in a given directory, making it read-only).

I suppose it should be achieved by overriding methods in a class implementing the SftpEventListener, using session to check for authenticated user's username.

I tried throwing an exception in the writing method for the given username and path but what happens is the following:

I think that the writing method gets called too late and I should look for an "open for write" one, but open from SftpEventListener doesn't seem to carry this info.

Can anyone point out how this logic is supposed to be achieved?

Thanks in advance!

Upvotes: 0

Views: 28

Answers (1)

wileecoyote
wileecoyote

Reputation: 83

Okay after more investigation i found this issue SSHD-731 which depicts a very similar situation.

Looking at the changes made in the commit to patch it it's possible to see how to detect the "open for write" action. It must be done in the opening method of the SftpEventListener and it's like this:

@Override
    public void opening(ServerSession serverSession, String remoteHandle, Handle localHandle) throws IOException {
        if (localHandle instanceof FileHandle fileHandle) {
            if (GenericUtils.containsAny(fileHandle.getOpenOptions(), IoUtils.WRITEABLE_OPEN_OPTIONS)
                    && localHandle.toString().startsWith(this.storageReportsDirectoryPathString)
                    && /* Custom condition like "file is inside a given read-only directory" */) {
                throw new AccessDeniedException("Operation not permitted for the authenticated user");
            }
        }
    }

Hope it helps anyone facing the same issue.

Upvotes: 0

Related Questions