OpenSSH 3.2.2 released : chroot

[Ben Lindstrom]

On Fri, 17 May 2002, Mike Johnson wrote:

> Ben Lindstrom [mouring at etoh.eviladmin.org] wrote:
> >
> > Out of interest why do you feel it's required to do chroot() at the
> > OpenSSH level?  Why don't you invest time into a shell that does the
> > chroot() for you?  That would work for telnet, ssh, etc. No need to
> > clutter up OpenSSH with options that can easily be implemented at a higher
> > level.
>
> Because, like you said, that required the shell to do it.  I'd rather
> trust OpenSSH to 'do the right thing' than a shell.  Plus, it's harder
> to break out of the OpenSSH chroot, than the shell based one.
>
It is?  HOW can you break out of a 10 line application written sole
to handle a chroot environment?  Which also allows you to clean up
the environment from nasty ~/.ssh/environment variables you many not
want.  I'm not saying 'rksh'.  I'm saying write a program that DOES the
chrooting for you.

You saying that almost 30,000 lines of code of which I venture to guess
5,000 or more are hit before you spawn a shell is more secure than a 10
line C application that handles the chroot process?  (No offence
Markus/Theo =)

Every line of code, every feature added, every platform added adds a
greater chance of error.  Add enough lines, features, platforms you
get to a point where you have more code than you can confortable audit
without missing edge cases.


> While it can be implemented at a higher level, I think it's -better-
> implemented at an OpenSSH level.
>

Don't agree with you on this.  Never will.  I've considered it for the
last few years and I can't come up with a good reason why it should
not be handled by a 'helper' style program instead of directly in the
system.

> So, my question is: would a decent patch be accepted?
>

We have declined such patches in the past.  And I suspect we will decline
such patches in the future.

There is a chroot patch floating around already.  And I know people that
apply it and use it happily.

- Ben