chroot sftp-server [PATCH]

mouring at etoh.eviladmin.org mouring at etoh.eviladmin.org
Fri May 25 22:44:17 EST 2001



On Fri, 25 May 2001, Andrew Bartlett wrote:

> Damien Miller wrote:
> >
> > On Fri, 25 May 2001, Andrew Bartlett wrote:
> >
> > > Is there any way of making this work?  This is the method I much prefer,
> > > and was looking at implementing a while ago.  I'm glad sombodies taken a
> > > stab at it.
> > >
> > > I run SFTP specificly becouse it does not require a ROOT deamon (apart
> > > from OpenSSH, which I run already) nor does it require a set-uid
> > > binary.  Hence my interest in this patch.
> >
> > I am not to fussed about a setuid sftp-server, so long as it does
> > does chdir,chroot,setuid as its first actions. IMO this is preferable
> > to patch-checking schemes which introduce complexity and may be
> > possible to fool.
> >
>
That is my main concern also.  However, I don't think that the patch I'm
working on introduces that much complexity.  And as long as 'realpath()'
does it job then it should be fairly secure.

> Unfortunetly it would (if I understand it correctly) break things like
> symbolic links, if they were so unfortunate as to be absolute, rather
> than relitive, would it not?
>
> For example, i have a 'shared folder' system that uses links from
> ~/groupname to /home/groups/groupname.  I was intending to restirct my
> users to files under /home with a patch like this, as it seemed the best
> solution.
>

It really depends on how your OS handles symlinks.  In the symlink tests I
did linking /tmp to ~/tmp I found that I could not cd ~/tmp because it
happen to be a soft link and realpath() resolved it correctly and it was
denied.

- Ben




More information about the openssh-unix-dev mailing list