Net-SFTP-SftpServer
view release on metacpan or search on metacpan
The following example script shows how this module can be used to give
far greater control over what is allowed on your SFTP server.
This setup is aimed at admins which want to user SFTP uploads but do not
wish to grant users a system account. You will also need to set both the
SFTP subsystem and the user's shell to the sftp script, eg
/usr/local/bin/sftp-server.pl
This configuration:
* Enforces that users can only access the sftp script, not an ssh
shell.
* Chroots them into their home directory in /var/upload/sftp
* Sets all file permissions to 0660 and does not permit users to
change them.
* Does not allow symlinks, making directories or renaming directories,
but allows all other normal actions.
* Has a max upload filesize of 200Mb
* Has a script memory limit of 100Mb for safety
* Will log actions by user sftptest in debug mode
* Will only allow alphanumeric plus _ . and - in filenames
* Will call ActionOnSent and ActionOnReceived respectively when files
have been sent or received.
#!/usr/local/bin/perl
use strict;
use warnings;
use Net::SFTP::SftpServer ( { log => 'local5' }, qw ( :LOG :ACTIONS ) );
use BSD::Resource; # for setrlimit
use constant DEBUG_USER => {
SFTPTEST => 1,
};
# Security - make sure we have started this as sftp not ssh
unless ( scalar @ARGV == 2 and
$ARGV[0] eq '-c' and
($ARGV[1] eq '/usr/local/bin/sftp-server.pl') ){
logError "SFTP connection attempted for application $ARGV[0] - exiting";
print "\n\rYou do not have permission to login interactively to this host.\n\r\n\rPlease contact the system administrator if you believe this to be a configuration error.\n\r";
exit 1;
}
my $MEMLIMIT = 100 * 1024 * 1024; # 100 Mb
# hard limits on process memory usage;
setrlimit( RLIMIT_RSS, $MEMLIMIT, $MEMLIMIT );
setrlimit( RLIMIT_VMEM, $MEMLIMIT, $MEMLIMIT );
my $debug = (defined DEBUG_USER->{uc(getpwuid($>))} and DEBUG_USER->{uc(getpwuid($>))}) ? 1 : 0;
my $sftp = Net::SFTP::SftpServer->new(
debug => $debug,
home => '/var/upload/sftp',
file_perms => 0660,
on_file_sent => \&ActionOnSent,
on_file_received => \&ActionOnReceived,
use_tmp_upload => 1,
max_file_size => 200 * 1024 * 1024,
valid_filename_char => [ 'a' .. 'z', 'A' .. 'Z', '0' .. '9', '_', '.', '-' ],
deny => ALL,
allow => [ (
SSH2_FXP_OPEN,
SSH2_FXP_CLOSE,
SSH2_FXP_READ,
SSH2_FXP_WRITE,
SSH2_FXP_LSTAT,
SSH2_FXP_STAT_VERSION_0,
SSH2_FXP_FSTAT,
SSH2_FXP_OPENDIR,
SSH2_FXP_READDIR,
SSH2_FXP_REMOVE,
SSH2_FXP_STAT,
SSH2_FXP_RENAME,
)],
fake_ok => [ (
SSH2_FXP_SETSTAT,
SSH2_FXP_FSETSTAT,
)],
);
$sftp->run();
sub ActionOnSent {
my $filename = shift;
## Do Stuff
}
sub ActionOnReceived {
my $filename = shift;
## Do Stuff
}
DEPENDENCIES
Stat::lsMode
Fcntl
POSIX
Sys::Syslog
Errno
SEE ALSO
Sftp protocol
<http://www.openssh.org/txt/draft-ietf-secsh-filexfer-02.txt>
AUTHOR
Simon Day, Pirum Systems Ltd
cpan <at> simonday.info
COPYRIGHT AND LICENSE
Based on sftp-server.c Copyright (c) 2000-2004 Markus Friedl. All rights
( run in 1.187 second using v1.01-cache-2.11-cpan-5837b0d9d2c )