5

Quoting How to determine if you can write to a file with SFTP because of your group? ,

You could do mode & 00002 to see if a [directory] is writable by the public and you could get a directory listing to and see if the owner of . matches the user that you logged in with (although stat doesn't usually return the longname for SFTPv3 servers, which is what you'd need to get the username from that) but what about group permissions?

In the answer to that post it was suggested that a better way to test the writeability of a file with SFTP was to actually open that file for writing. eg. something analogous to fopen('filename.ext', 'w');.

My question is... what's the best way to determine the writeability of a directory with SFTP? You can't open a directory for writing like you can a file. My best guess: just attempt to upload a temporary file in the directory in question?

Like maybe use SSH_FXF_CREAT and SSH_FXF_EXCL? Altho the possibility that the file might already exist kinda complicates things. I guess a directory listing could be obtained and then one could attempt to upload a filename that doesn't exist but, the fact that this would require read permissions not withstanding it'd also not work as well if the directory was super large.

Any ideas?

neubert
  • 15,947
  • 24
  • 120
  • 212
  • @MartinPrikryl - any ideas? – neubert Mar 06 '19 at 13:19
  • 2
    To the person who voted to close this... do you even know what SSH_FXF_CREAT and SSH_FXF_EXCL even are? They're part of the SFTP spec: https://tools.ietf.org/html/draft-ietf-secsh-filexfer-02. I'm not asking how to use an arbitrary SFTP client - I'm asking what combination of of SFTP packets, as described in the IETF drafts, would need to be utilized to make a specific determination. Saying "you can do sftp --opt whatever" to get the desired answer is NOT what I'm looking for. Maybe I should post this question on travel.stackexchange.com because I'm asking about how the packets should travel! – neubert Mar 07 '19 at 12:26

1 Answers1

1

What about a login script which would do a touch on that directory with that user?

If sshd would be used you could use a pam_script (pam auth module to execute a script) simply to simply do a touch testing_file_creation in your directory. You would need to add into your pam sshd configuration.

If the directory would not be writable you would get a message during your login touch: testing_file_creation: Permission denied. Of course, you could do more fancy stuff with that but this would be the very basic.

tukan
  • 17,050
  • 1
  • 20
  • 48
  • SFTP doesn't implement touch, as such. It can be emulated with SSH_FXP_OPEN with SSH_FXF_WRITE, SSH_FXF_CREATE, SSH_FXF_EXCL as flags but that wouldn't work with directories. Updating the login script could work but sometimes servers will have SFTP access without shell access (or rather, they'll have a jail shell or some such), which would prevent that approach from working in a pure SFTP client. – neubert Mar 14 '19 at 17:58
  • @neubert this was a general idea. If you can emulate the behaviour there is no difference. If you try to perform `SSH_FXP_OPEN` with `SSH_FXF_WRITE` `SSH_FXF_CREAT` ( with `SSH_FXF_EXCL`) in the directory with `O_TRUNC` specified (zero lenght). If you won't have writting permission then you will get message `SSH_FX_PERMISSION_DENIED`. If this action would be performed by daemon itself you won't need a shell permission. – tukan Mar 15 '19 at 08:17
  • My testing suggests it doesn't work like that. When I send the SSH_FXP_OPEN request I get an SSH_FXP_STATUS response back that says "Failure". What I should be getting back if I had write permission was SSH_FXP_HANDLE but I'm not. https://pastebin.com/CHST3z0a shows what I am getting. I tried with with just SSH_FXF_WRITE as well and got https://pastebin.com/Q9rsQcpQ. The thing is... the /root/.ssh directory that I'm testing on *is* writable (I'm logged in as root). I know this because I was able to upload a test file without issue. – neubert Mar 15 '19 at 13:12
  • And tbh idk that that behavior surprises me. https://tools.ietf.org/html/draft-ietf-secsh-filexfer-02 (SFTPv3) has SSH_FXP_OPEN for opening files and SSH_FXP_OPENDIR for opening directories. The former has a field for flags wherein you can request a file be opened for writing - the latter does not. You don't write to a directory by doing SSH_FXP_OPENDIR - you write to a directory by doing SSH_FXP_OPEN not on the directory but on a (new) file *within* the directory with SSH_FXF_CREAT. Doing it on an old file is insufficient because an old file could have it's own permissions independent of dir – neubert Mar 15 '19 at 13:15
  • @neubert then probably the only option is to upload a test file. – tukan Mar 16 '19 at 10:52