sftp is an interactive file transfer program, similar to ftp(1), which performs all operations over an encrypted ssh(1) transport. sftp-server is a program that speaks the server side of SFTP protocol to stdout and expects client requests from stdin. sftp-server is not intended to be called directly, but from sshd(8) using the Subsystem option. Refer to the solution section for configuration details on how to disable delete and rename permission for SFTP users.
- Blacklisting and whitelisting SFTP requests
- Chrooted upload-only SFTP account – what requests to blacklist/whitelist
- Restrict SFTP user to run only limited set of commands/action on Linux
- SFTP restrict delete or remove or rename permission
- How to configure SFTP to allow only specific requests?
- How disable delete and rename permission on SFTP?
- Arch Linux
- Alpine Linux
Linux SFTP subsystem supports the following features and they all are enabled by default. Execute the following command to see list of all supported protocol features.
# /usr/libexec/openssh/sftp-server -Q requests open close read write lstat fstat setstat fsetstat opendir readdir remove mkdir rmdir realpath stat rename readlink symlink posix-rename statvfs fstatvfs hardlink fsync
Add the following configuration in
/etc/ssh/sshd_config file on the SFTP server system to disable
delete permission for all SFTP users and then restart sshd service.
# For normal SFTP(Without Chroot) add the following configuration in sshd_config file. Subsystem sftp /usr/libexec/openssh/sftp-server -P remove,rmdir,rename,posix-rename # For Chroot SFTP add the following configuration in sshd_config file. Subsystem sftp internal-sftp -P remove,rmdir,rename,posix-rename
A Sample configuration from
chroot match block
Match Group sftp_users ChrootDirectory %h ForceCommand internal-sftp -P remove,rmdir,rename,posix-rename X11Forwarding no AllowTcpForwarding no
$ man sftp $ man sftp-server