From 5365c5c27d078f7ab33537d86b9a7af1c031e2d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Skowro=C5=84ski?= <daniel@skowron.ski>
Date: Thu, 28 Nov 2024 22:27:26 +0100
Subject: [PATCH] fix SCP support

---
 files/permit-scp.sh | 16 ++++++++++++++--
 files/sshd_config   |  7 +------
 2 files changed, 15 insertions(+), 8 deletions(-)
 mode change 100644 => 100755 files/permit-scp.sh

diff --git a/files/permit-scp.sh b/files/permit-scp.sh
old mode 100644
new mode 100755
index f1effe37..d7baee56
--- a/files/permit-scp.sh
+++ b/files/permit-scp.sh
@@ -1,9 +1,21 @@
 #!/bin/bash
-# Permit scp
 case $SSH_ORIGINAL_COMMAND in
- 'scp'*)
+# Permit scp when run in internal source/dest/dir mode
+# NOTE: adding path does not protect from rogue symlinks
+ "scp -f $HOME/"*)
     $SSH_ORIGINAL_COMMAND
     ;;
+ "scp -t $HOME/"*)
+    $SSH_ORIGINAL_COMMAND
+    ;;
+ "scp -d $HOME"*)
+    $SSH_ORIGINAL_COMMAND
+    ;;
+# Permit standard sftp - by pats, as `internal-sftp` works only in sshd_config
+ "/usr/lib/openssh/sftp-server")
+    $SSH_ORIGINAL_COMMAND
+    ;;
+# Drop anything else
  *)
     echo "Access Denied"
     ;;
diff --git a/files/sshd_config b/files/sshd_config
index 242d2471..ba99afb0 100644
--- a/files/sshd_config
+++ b/files/sshd_config
@@ -13,12 +13,7 @@ PermitRootLogin no
 X11Forwarding no
 AllowTcpForwarding no
 
-# Force sftp and chroot jail
-Subsystem sftp internal-sftp
-ForceCommand internal-sftp
-ChrootDirectory %h
-
-# Permit SCP
+Subsystem sftp /usr/lib/openssh/sftp-server
 ForceCommand /usr/local/bin/permit-scp.sh
 
 # Enable this for more logs