Mirrors/sftpgo
1
0
Fork 0
mirror of https://github.com/drakkan/sftpgo.git synced 2025-12-08 07:10:56 +03:00
Code Issues Packages Projects Releases Wiki Activity

system commands: recursively verify required permissions

Browse Source 
If any permission is missing at any level, return a "Permission Denied"
error

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
Nicola Murino
2025-09-28 09:34:39 +02:00
parent f4092b9f9e
commit e892748ef4
3 changed files with 35 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
internal/common/common_test.go
View File

@@ -1412,6 +1412,19 @@ func TestUserPerms(t *testing.T) {
u.Permissions["/"] = []string{dataprovider.PermDeleteDirs, dataprovider.PermRenameFiles, dataprovider.PermRenameDirs} u.Permissions["/"] = []string{dataprovider.PermDeleteDirs, dataprovider.PermRenameFiles, dataprovider.PermRenameDirs}
assert.False(t, u.HasPermsDeleteAll("/")) assert.False(t, u.HasPermsDeleteAll("/"))
assert.True(t, u.HasPermsRenameAll("/")) assert.True(t, u.HasPermsRenameAll("/"))
toCheck := []string{dataprovider.PermDownload, dataprovider.PermUpload, dataprovider.PermCreateDirs, dataprovider.PermListItems,
dataprovider.PermOverwrite, dataprovider.PermDelete}
u.Permissions = make(map[string][]string)
u.Permissions["/"] = []string{dataprovider.PermListItems}
u.Permissions["/example-dir/bar"] = []string{dataprovider.PermListItems}
u.Permissions["/example-dir"] = toCheck
assert.True(t, u.HasPerms(toCheck, "/example-dir"))
assert.False(t, u.HasRecursivePerms(toCheck, "/example-dir"))
delete(u.Permissions, "/example-dir/bar")
assert.True(t, u.HasRecursivePerms(toCheck, "/example-dir"))
u.Permissions["/example-dirbar"] = []string{dataprovider.PermListItems}
assert.True(t, u.HasRecursivePerms(toCheck, "/example-dir"))
} }
func TestGetTLSVersion(t *testing.T) { func TestGetTLSVersion(t *testing.T) {

21
internal/dataprovider/user.go
View File

@@ -876,6 +876,27 @@ func (u *User) HasAnyPerm(permissions []string, path string) bool {
return false return false
} }
// HasRecursivePerms returns true if the user has all the specified permissions
// in the given folder and in every subfolder that has explicit permissions
// defined.
func (u *User) HasRecursivePerms(permissions []string, virtualPath string) bool {
if !u.HasPerms(permissions, virtualPath) {
return false
}
for dir, perms := range u.Permissions {
if len(dir) > len(virtualPath) {
if strings.HasPrefix(dir, virtualPath+"/") {
for _, permission := range permissions {
if !slices.Contains(perms, permission) {
return false
}
}
}
}
}
return true
}
// HasPerms returns true if the user has all the given permissions // HasPerms returns true if the user has all the given permissions
func (u *User) HasPerms(permissions []string, path string) bool { func (u *User) HasPerms(permissions []string, path string) bool {
perms := u.GetPermissionsForPath(path) perms := u.GetPermissionsForPath(path)

2
internal/sftpd/ssh_cmd.go
View File

@@ -262,7 +262,7 @@ func (c *sshCommand) executeSystemCommand(command systemCommand) error { //nolin
} }
perms := []string{dataprovider.PermDownload, dataprovider.PermUpload, dataprovider.PermCreateDirs, dataprovider.PermListItems, perms := []string{dataprovider.PermDownload, dataprovider.PermUpload, dataprovider.PermCreateDirs, dataprovider.PermListItems,
dataprovider.PermOverwrite, dataprovider.PermDelete} dataprovider.PermOverwrite, dataprovider.PermDelete}
if !c.connection.User.HasPerms(perms, sshDestPath) { if !c.connection.User.HasRecursivePerms(perms, sshDestPath) {
return c.sendErrorResponse(c.connection.GetPermissionDeniedError()) return c.sendErrorResponse(c.connection.GetPermissionDeniedError())
} }