From dev-return-38409-apmail-mina-dev-archive=mina.apache.org@mina.apache.org Sat Oct 17 06:10:29 2020 Return-Path: X-Original-To: apmail-mina-dev-archive@www.apache.org Delivered-To: apmail-mina-dev-archive@www.apache.org Received: from mxout1-ec2-va.apache.org (mxout1-ec2-va.apache.org [3.227.148.255]) by minotaur.apache.org (Postfix) with ESMTP id 72A881A77D for ; Sat, 17 Oct 2020 06:10:29 +0000 (UTC) Received: from mail.apache.org (mailroute1-lw-us.apache.org [207.244.88.153]) by mxout1-ec2-va.apache.org (ASF Mail Server at mxout1-ec2-va.apache.org) with SMTP id 34D824548E for ; Sat, 17 Oct 2020 06:10:29 +0000 (UTC) Received: (qmail 83487 invoked by uid 500); 17 Oct 2020 06:10:26 -0000 Delivered-To: apmail-mina-dev-archive@mina.apache.org Received: (qmail 83347 invoked by uid 500); 17 Oct 2020 06:10:24 -0000 Mailing-List: contact dev-help@mina.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@mina.apache.org Received: (qmail 83316 invoked by uid 99); 17 Oct 2020 06:10:23 -0000 Received: from Unknown (HELO mailrelay1-lw-us.apache.org) (10.10.3.159) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 17 Oct 2020 06:10:23 +0000 Received: from mail-qk1-f169.google.com (mail-qk1-f169.google.com [209.85.222.169]) by mailrelay1-lw-us.apache.org (ASF Mail Server at mailrelay1-lw-us.apache.org) with ESMTPSA id 9C43B40390 for ; Sat, 17 Oct 2020 06:10:23 +0000 (UTC) Received: by mail-qk1-f169.google.com with SMTP id s14so3681908qkg.11 for ; Fri, 16 Oct 2020 23:10:23 -0700 (PDT) X-Gm-Message-State: AOAM533vCEp5z7/VzXzeRT8b9hr60dwye/YqdovfWXgr+c3pwS19OnO7 ioy56j/91hocA/D80CbVSSpE/7WBXeWGW0C20QQ= X-Google-Smtp-Source: ABdhPJyKnaaYBrrjJ3sQOrnWJpBZxjo62VyORTcnn4LaZ3e8ct9NRUR0D90UpPByEHtc4EYJhcG40IefW3tsDHHKpBE= X-Received: by 2002:a37:ef04:: with SMTP id j4mr7609682qkk.260.1602915023343; Fri, 16 Oct 2020 23:10:23 -0700 (PDT) MIME-Version: 1.0 From: Lyor Goldstein Date: Sat, 17 Oct 2020 09:10:12 +0300 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Help on permissions on SCP and SFTP operations To: dev@mina.apache.org Content-Type: multipart/alternative; boundary="00000000000092556f05b1d7bcdc" --00000000000092556f05b1d7bcdc Content-Type: text/plain; charset="UTF-8" >> The use case is beforeany file operations I need to check whether the user in session is having permissions to carry on the operations, This involves registering your own SftpFileSystemAccessor via: SftpSubsystemFactory factory = new SftpSubsystemFactory.Builder() .withFileSystemAccessor(new MySftpFileSystemAccessor()) .with... .with... .build() sshd.shd.setSubsystemFactories(Collections.singletonList(factory)); class MySftpFileSystemAccessor implements SftpFileSystemAccessor { ...override whatever methods you need and check access permissions... } If instead you want to override the actual raw SFTP command then you need to sub-class SftpSubsystem - which I cannot guarantee to satisfy all your needs. As far as SCP goes, you could register an ScpTransferEventListener and examine each upload/download request and throw an exception if user does not have the right permissions for the source/target. If more fine-grained control is required, then I'm afraid you will have to provide your own FileSystem implementation. If you do that you could use it not only for SCP but also for SFTP (you can see our RootedFileSystemProvider as an example) >> along with that we have a logic to check whether the command is valid or not I don't understand what "valid command" means - if it is valid SCP/SFTP command the server will execute it, otherwise it will reject it. --00000000000092556f05b1d7bcdc--