Restricted SFTP
Andrew Bartlett
abartlet at pcug.org.au
Fri Mar 23 18:06:41 EST 2001
Damien Miller wrote:
>
> On Fri, 23 Mar 2001, Andrew Bartlett wrote:
>
> > As I have mentioned earlier on this list, I want to allow (relitivly)
> > untrusted local users to SFTP to my server, as a secure method of remote
> > file access.
> >
> > What I would like to do is to keep users within their home directory. I
> > don't mind that it follows symlinks (if fact its probably a
> > requirement), but some basic restriction on what users can see/access
> > would be handy.
> >
> > The check I would propose would simply be 'all files/direcories served
> > must start with /home/username'.
> >
> > Is this at all possible?
>
> Not at present (presuming you don't modify sftp-server yourself).
> A chroot capability is planned for the future, but has not been implemented
> yet.
>
It appears (by looking at the code) that a smattering of realpath and
strcmp calls could provide the required functionailty. Does this looks
like the way to do it / do you see any problems with this approach?
--
Andrew Bartlett
abartlet at pcug.org.au
More information about the openssh-unix-dev
mailing list