published on in security tech

Sandboxed rsync/sftp/scp for secure file uploads

I needed to have someone transfer some files to me securely. But I had a few requirements

  • no third party (e.g. dropbox)
  • handle +150 GiB of files
  • transfer files to a publicly available linux server
  • don’t give access to the destination server
  • the sender only had standard linux utilities (specifically rsync)

Previously I have used locked-down ssh-keys and force-command. Both are good solutions.

This time I ended up using a small sandboxed ssh environment in a docker container with a mounted folder. The benefit compared to internal-sftp is that it gives the sender some flexibility with how he/she wants to transfer the files, scp, sftp and specifically rsync all work.

Warning: Docker containers are not secure sandboxes. The uploader can (by design) upload anything and has shell access so he/she can upload and execute any executable. Any kernel or docker vulnerability could lead to an escape from the docker image. Don’t use this unless you trust the uploader.

In this case, I found a docker-image made specifically for a locked down ssh/scp/rsync environment.

How-To

First create a folder, for example named upload in the directly where you want to upload files, then run and remember to change <USER> to and <PASSWORD> to something else

docker run --rm -it \
  --name docker_ssh --hostname ssh \
  -c 128 -m 256m \
  -e PGID=1000 -e PUID=1000 \
	-p 64822:64822 \
  -v $PWD/upload:/home/<USER> -v $PWD:/etc/ssh \
  -e CNTUSER=<USER>\
  -e CNTPASS=<CHANGEME> \
  -e ROOTPASS=$(openssl rand -base64 12) \
  woahbase/alpine-ssh:x86_64 \
/bin/bash

And then get uploading!

For example,

scp -P 64822 test3.sh <USER>@<SERVER>:~/

or

rsync -e "ssh -p 64822" ./ <USER>@<SERVER>:~/