[
https://issues.apache.org/jira/browse/SSHD-1042?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17165667#comment-17165667
]
Shahbaz commented on SSHD-1042:
-------------------------------
Thanks [~wolft] Is there any specific thing that needs to be handled in our
implementation to prevent destroy() from getting invoked and connection getting
closed. We are unable to find why destroy() is invoked in case of
SSH_FXP_READDIR command, even though AcessDeniedException is thrown from our
implementation.
> Command Limiting Policy SSH_FXP_READDIR closing connection
> ----------------------------------------------------------
>
> Key: SSHD-1042
> URL: https://issues.apache.org/jira/browse/SSHD-1042
> Project: MINA SSHD
> Issue Type: New Feature
> Reporter: Shahbaz
> Priority: Major
> Attachments: apache rmdir.PNG, maverick filesystem.PNG
>
>
> *This are the below commands which prevent the execution of process for the
> user at instance level relating to permission of open, read, write, opendir,
> readdir, remove, rename, makedir, removedir respectively.*
> *SSH_FXP_OPEN*
> *SSH_FXP_READ*
> *SSH_FXP_WRITE*
> *SSH_FXP_OPENDIR*
> *SSH_FXP_READDIR*
> *SSH_FXP_REMOVE*
> *SSH_FXP_RENAME*
> *SSH_FXP_MKDIR*
> *SSH_FXP_RMDIR*
> *But the command for* *SSH_FXP_READDIR is not executed as it directly closes
> the connection. This connection is closed because while throwing the
> exception it directly calls destroy method from filesystem. Is there any
> workaround to inhibit its execution when we extend sftpsubsytem class where
> exception is thrown.***
> *While reading the directory when SH_FXP_READDIR is applied, the operation is
> interrupted, as it evokes the destroy function to close the connection
> directly when an IOException is thrown. The issue is how can we make sure the
> destroy function is not called, when exception is thrown in a class which
> extends SFTPSubsystem.*
>
> *Exact working scenarios of the above issue:*
> We have our implementation of Command Limiting Policy to prevent specific IP
> addresses or users from executing
> certain commands on an SFTP server.
> After validation of the policy, we don't want user to perform the operation
> based on the command which is applied on the policy.
> For example: When the SSH_FXP_OPENDIR is invoked, the user is restricted
> from open directory operation.
> Our issue is related to command SSH_FXP_READDIR command.
> Expected Behaviour : Prevent user from reading the directory when sftp ls
> command is executed, by giving the message like "Unable to read the
> directory".
> But we see that, though we throw AcessDeniedException on validating the
> policy, the connection is getting closed, and we get an error as "Connection
> closed".
> We have the same implementation for validating the policy and we throw
> AcessDeniedException in case of all the sftp commands(if we need to prevent
> the user/ip)
> We find that all the sftp commands work as expected, except SSH_FXP_READDIR.
> The difference we find is that destroy() method in SFTP Subsystem is getting
> invoked after our policy validation in SSH_FXP_READDIR. In case of all other
> commands, we dont see destro() getting invoked.
>
> Is there any specific thing that needs to be handled in our implementation to
> prevent destroy() from getting invoked and connection getting closed. We are
> unable to find why destroy() is invoked in case of SSH_FXP_READDIR command,
> even though AcessDeniedException is thrown from our implementation.
>
>
>
> *Below attached are the images which shows how destroy is invoked in both
> maverick and apache case.*
>
>
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org
