Restricted SFTP

Andrew Bartlett abartlet at
Fri Mar 23 18:06:41 EST 2001

Damien Miller wrote:
> On Fri, 23 Mar 2001, Andrew Bartlett wrote:
> > As I have mentioned earlier on this list, I want to allow (relitivly)
> > untrusted local users to SFTP to my server, as a secure method of remote
> > file access.
> >
> > What I would like to do is to keep users within their home directory.  I
> > don't mind that it follows symlinks (if fact its probably a
> > requirement), but some basic restriction on what users can see/access
> > would be handy.
> >
> > The check I would propose would simply be 'all files/direcories served
> > must start with /home/username'.
> >
> > Is this at all possible?
> Not at present (presuming you don't modify sftp-server yourself).
> A chroot capability is planned for the future, but has not been implemented
> yet.

It appears (by looking at the code) that a smattering of realpath and
strcmp calls could provide the required functionailty.  Does this looks
like the way to do it / do you see any problems with this approach?

Andrew Bartlett
abartlet at

More information about the openssh-unix-dev mailing list