chrooting/jailing transfer-only accounts

Dan Astoorian djast at
Tue May 28 09:04:10 EST 2002

On Mon, 27 May 2002 16:22:53 EDT, Ben Lindstrom writes:
> > #define JAIL "/path/to/jail"
> > #define SHELL "/bin/sh"
> > int main(int argc, char **argv) {
> >     if (chroot(JAIL) != 0) {
> >         perror("chroot");
> >     } else if (chdir("/") != 0) {
> >         perror("chdir");
> [..]
> 	^^ Won't one want to consider dropping root before this?  Less
> code that is ran by root the better.

In general, yes.  Also in general, the sooner you rid yourself of any
file descriptors outside the new root, the better, which is the only
reason I wrote it in the order I did.  The other order would probably be
better, but in this specific instance, I don't think it really matters
(although if the chdir() were to anyplace other than "/", then it would
definitely be more important to drop root first).

> The only thing that should be considered is how to correctly pull the
> user's home directory.  One should ponder if that code should be ran as a
> non-root user.

Personally, if I were setting up a wrapper for a single sftp-only
account, I'd probably just hard-code everything into the script before
the execv().  In fact, I'd probably hard-code the environment and
arguments too, rather than allowing SHELL to inherit them.

I didn't mean to suggest that this 15-line off-the-cuff program was a
complete prepackaged solution: I was hoping it would be enough of a hint
for people like Sandor, who lamented that:

| [...]Some people feel that this 
| is a "trivial" problem that can be solved without adding code to 
| OpenSSH.  If it is, I'm not smart enough to figure it out, and I 
| haven't seen any examples of such a solution posted to the list.

to perhaps fill in the pieces.

> As for argument processing with getopt()  that is a no brainner.[...]

I don't see any need for argument processing in the wrapper....

Dan Astoorian               People shouldn't think that it's better to have
Sysadmin, CSLab             loved and lost than never loved at all.  It's
djast at        not, it's better to have loved and won.  All  the other options really suck.    --Dan Redican

More information about the openssh-unix-dev mailing list