[openssh-commits] [openssh] 03/13: upstream commit

git+noreply at mindrot.org git+noreply at mindrot.org
Tue Jan 27 00:33:59 EST 2015 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit dcff5810a11195c57e1b3343c0d6b6f2b9974c11
Author: deraadt at openbsd.org <deraadt at openbsd.org>
Date:   Thu Jan 22 20:24:41 2015 +0000

    upstream commit
    
    Provide a warning about chroot misuses (which sadly, seem
     to have become quite popular because shiny).  sshd cannot detect/manage/do
     anything about these cases, best we can do is warn in the right spot in the
     man page. ok markus
---
 sshd_config.5 | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/sshd_config.5 b/sshd_config.5
index 88fe901..3b809c2 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.189 2015/01/13 07:39:19 djm Exp $
-.Dd $Mdocdate: January 13 2015 $
+.\" $OpenBSD: sshd_config.5,v 1.190 2015/01/22 20:24:41 deraadt Exp $
+.Dd $Mdocdate: January 22 2015 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -330,8 +330,10 @@ The default is
 Specifies the pathname of a directory to
 .Xr chroot 2
 to after authentication.
-All components of the pathname must be root-owned directories that are
-not writable by any other user or group.
+At session startup
+.Xr sshd 8
+checks that all components of the pathname are root-owned directories
+which are not writable by any other user or group.
 After the chroot,
 .Xr sshd 8
 changes the working directory to the user's home directory.
@@ -368,6 +370,13 @@ inside the chroot directory on some operating systems (see
 .Xr sftp-server 8
 for details).
 .Pp
+For safety, it is very important that the directory heirarchy be
+prevented from modification by other processes on the system (especially
+those outside the jail).
+Misconfiguration can lead to unsafe environments which
+.Xr sshd 8
+cannot detect.
+.Pp
 The default is not to
 .Xr chroot 2 .
 .It Cm Ciphers

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list