OpenSSH 3.2.2 released : chroot
Dan Astoorian
djast at cs.toronto.edu
Sat May 18 22:56:38 EST 2002
On Sat, 18 May 2002 06:10:31 EDT, Pekka Savola writes:
> On Fri, 17 May 2002, Ben Lindstrom wrote:
> > Out of interest why do you feel it's required to do chroot() at the
> > OpenSSH level? Why don't you invest time into a shell that does the
> > chroot() for you? That would work for telnet, ssh, etc. No need to
> > clutter up OpenSSH with options that can easily be implemented at a higher
> > level.
>
> One word: sftp.
How is sftp different from any other application or subsystem?
If the user's login shell is a wrapper which calls chroot() and then
runs a real shell, then sftp-server will be wrapped along with anything
else the user could run via ssh.
Incidentally, does the chroot patch work with
UsePrivilegeSeparation=yes? I haven't tried it, but I suspect it might
not work, since my understanding of UsePrivilegeSeparation is that the
child process never runs with sufficient privileges for the chroot() to
succeed. However, a wrapper program wouldn't have that sort of problem.
--
Dan Astoorian People shouldn't think that it's better to have
Sysadmin, CSLab loved and lost than never loved at all. It's
djast at cs.toronto.edu not, it's better to have loved and won. All
www.cs.toronto.edu/~djast/ the other options really suck. --Dan Redican
More information about the openssh-unix-dev
mailing list