[Bug 3715] New: safely_chroot is a little too restrictive: noexec or nosuid should be enough

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Jul 31 05:59:11 AEST 2024


https://bugzilla.mindrot.org/show_bug.cgi?id=3715

            Bug ID: 3715
           Summary: safely_chroot is a little too restrictive: noexec or
                    nosuid should be enough
           Product: Portable OpenSSH
           Version: 9.8p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: joshudson at gmail.com

Created attachment 3828
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3828&action=edit
most of a patch restoring old documented behavior -- needs autoconf
work

>From my perspective this is a regression, but it's a regression from a
far branch somewhere, not from a previous version of openssh. The
second blockquote here https://unix.stackexchange.com/a/396684 seems to
be quoting the manpage from the branch but I can't find its origin.

We have this working on our deployment today with a decode old
codebase; but in testing a replacement server closer to stock openssh
it doesn't work.

The general case is you want a lot of sftp users; each chrooted into
their own home directory, and each having write access to their own
home directory; where each can see no other.

Basically, there's no reason in particular this configuration shouldn't
work:

Subsystem sftp internal-sftp

Match Group filedrop
    ChrootDirectory %h
    AllowTCPForwarding no
    X11Forwarding no

where the home directories of all the users are under /u and /u is
mounted noexec.

I was pretty much able to just fix the problem on the first attempt
except for I got lost in autoconf; I have a patch available that still
needs to be edited so that autoconf knows what to do. (There's still
some systems lacking the statvfs() call.)

There's one weirdity I haven't been able to explain though. Why is
nodev (to be) required? It's not like an external filesystem; the user
can't *make* devices. But that's what the document says; so that's what
I put back.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list