From e5c9cf9ac7543a5e59dabf11f993a9c032b9b71f Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Thu, 21 May 2026 02:50:59 +0000
Subject: [PATCH] upstream: mention usefulness of request type
 allow/denylisting for

servers accepting untrusted clients

OpenBSD-Commit-ID: 8b991bd263b46374a8e73f02d05cdccca73ae520
---
 sftp-server.8 | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/sftp-server.8 b/sftp-server.8
index 5311bf929..d9060ab9a 100644
--- a/sftp-server.8
+++ b/sftp-server.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: sftp-server.8,v 1.31 2021/07/27 14:14:25 jmc Exp $
+.\" $OpenBSD: sftp-server.8,v 1.32 2026/05/21 02:50:59 djm Exp $
 .\"
 .\" Copyright (c) 2000 Markus Friedl.  All rights reserved.
 .\"
@@ -22,7 +22,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 27 2021 $
+.Dd $Mdocdate: May 21 2026 $
 .Dt SFTP-SERVER 8
 .Os
 .Sh NAME
@@ -109,6 +109,17 @@ The
 flag can be used to determine the supported request types.
 If both denied and allowed lists are specified, then the denied list is
 applied before the allowed list.
+This flag, along with the
+.Fl p
+flag, may be used to disable operations that are irrelevant or undesirable
+for the server.
+For example, a
+.Nm
+that accepts connections from untrusted clients may wish to disable the
+.Dq copy-data
+or
+.Dq users-groups-by-id
+operations.
 .It Fl p Ar allowed_requests
 Specifies a comma-separated list of SFTP protocol requests that are permitted
 by the server.