sftp-server

sftp-server [-R] [-f log_facility] [-l log_level] [-u umask]

-R
    Enables read-only mode, preventing all write, create, remove, and rename operations by the SFTP client.

-f log_facility
    Specifies the syslog facility code to be used when logging messages from sftp-server. Common values include DAEMON, USER, AUTH, LOCAL0-LOCAL7. The default is DAEMON.

-l log_level
    Sets the level for logging messages. Possible values range from QUIET to DEBUG3, providing increasing verbosity. The default level is INFO.

-u umask
    Sets the file mode creation mask (umask) for newly created files and directories. The argument should be an octal value, for example, 022. The default is 022.

The sftp-server program is a critical component of the OpenSSH suite, designed to speak the SFTP (SSH File Transfer Protocol) to a client over a secure SSH connection. It is not intended to be run directly by users but is typically invoked as a subsystem by the sshd daemon when an SFTP client connects. Its primary role is to handle all file system operations requested by the SFTP client, such as listing directories, uploading files, downloading files, creating and deleting files or directories, and renaming.

sftp-server operates by reading SFTP protocol messages from its standard input and writing responses to its standard output, effectively acting as an intermediary between the client and the server's file system, all within the security context of the authenticated user.

sftp-server is typically invoked by the sshd daemon as a subsystem, defined in sshd_config (e.g., Subsystem sftp /usr/lib/openssh/sftp-server). It is not designed to be run directly by a user from the command line, as it expects to communicate over its standard input/output using the SFTP protocol, rather than interactive shell input. Directly running it will likely result in an error or unexpected behavior. Its operation is entirely dependent on a secure SSH connection being established first.

The default path for the sftp-server program is usually configured in the sshd_config file using the Subsystem directive. For example:
Subsystem sftp /usr/lib/openssh/sftp-server
On some systems, it might point to an internal SFTP server built into sshd itself (e.g., Subsystem sftp internal-sftp), which is often more efficient as it avoids spawning an external process.

When sftp-server is invoked by sshd, it runs with the privileges of the authenticated user. This means that file system operations performed by the SFTP client are subject to the same permissions and access controls as if the user had logged in via a shell. This ensures that users can only access files and directories they are authorized to access, maintaining system security.

The SFTP protocol itself originated as an extension to the SSH-2 protocol, providing secure file transfer capabilities beyond basic `scp`. The `sftp-server` program is the OpenSSH project's implementation of this server-side component. It has been an integral part of OpenSSH for many years, evolving alongside the SSH protocol to support various SFTP protocol versions (from 3 to 6) and new features, ensuring secure and robust file transfers in modern network environments.

ssh(1), sshd(8), sftp(1), ssh_config(5), sshd_config(5)